- Download PDFs
-
Understanding 802.1X and VSAs on EX-series Switches
- Related Topics
- Understanding 802.1X Authentication on EX-series Switches
- Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX-series Switch
- Filtering 802.1X Supplicants Using Vendor-Specific Attributes (CLI Procedure)
- Configuring Firewall Filters (CLI Procedure)
Understanding 802.1X and VSAs on EX-series Switches
EX-series switches support the configuration of RADIUS attributes specific to Juniper Networks. These attributes are known as vendor-specific attributes (VSAs) and are described in RFC 2138, Remote Authentication Dial In User Service (RADIUS). Through VSAs, you can configure port filtering attributes on the RADIUS server. VSAs are clear text fields sent from the RADIUS server to the switch as a result of the 802.1X authentication success or failure. The 802.1X authentication prevents unauthorized user access by blocking a supplicant at the port until the supplicant is authenticated by the RADIUS server. The VSA attributes are interpreted by the switch during authentication, and the switch takes appropriate actions. Implementing port-filtering attributes with 802.1X authentication on the RADIUS server provides a central location that controls LAN access for supplicants.
These attributes specific to Juniper Networks are encapsulated in a RADIUS vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636.
As well as configuring port filtering attributes through VSAs, you can apply a port firewall filter directly to the RADIUS server that has already been configured on the switch. Like port filtering attributes, the filter is applied during the 802.1X authentication process, and its actions are applied at the switch port. Adding a port firewall filter to a RADIUS server eliminates the need to add it to multiple ports and switches.
VSAs are only supported for 802.1X single-supplicant configurations—not for multiple-supplicant configurations.