[an error occurred while processing this directive] [an error occurred while processing this directive]

802.1X for EX Series Switches Overview

IEEE 802.1X provides network edge security, protecting Ethernet LANs from unauthorized user access.

How 802.1X Authentication Works

802.1X works by using an Authenticator Port Access Entity (the switch) to block all traffic to and from a supplicant (client) at the port until the supplicant's credentials are presented and matched on the Authentication server (a RADIUS server). When authenticated, the switch stops blocking traffic and opens the port to the supplicant.

The supplicant is authenticated in either single mode, single-secure mode, or multiple mode:

  • single—Authenticates only the first supplicant. All other supplicants who connect later to the port are allowed full access without any further authentication. They effectively “piggyback” on the first supplicant’s authentication.
  • single-secure—Allows only one supplicant to connect to the port. No other supplicant is allowed to connect until the first supplicant logs out.
  • multiple—Allows multiple supplicants to connect to the port. Each supplicant will be authenticated individually.

Network access can be further defined using VLANs and firewall filters, which both act as filters to separate and match groups of supplicants to the areas of the LAN they require.

802.1X Features Overview

802.1X features on Juniper Networks EX Series Ethernet Switches are:

  • Guest VLAN—Provides limited access to a LAN, typically just to the Internet, for supplicants that fail 802.1X authentication.
  • Dynamic VLAN—Enables a supplicant, after authentication, to be a member of a VLAN dynamically.
  • Private VLAN—Enables configuration of 802.1X authentication on interfaces that are members of private VLANs (PVLANs).
  • Dynamic changes to a user session—Allows the switch administrator to terminate an already authenticated session. This feature is based on support of the RADIUS Disconnect Message defined in RFC 3576.
  • Support for VoIP—Supports IP telephones. If the phone is 802.1X-enabled, it is authenticated like any other supplicant. If the phone is not 802.1X-enabled, but has another 802.1X-compatible device connected to its data port, that device is authenticated, and then VoIP traffic can flow to and from the phone (providing that the interface is configured in single mode and not in single-secure mode).
  • RADIUS accounting—Sends accounting information to the RADIUS accounting server. Accounting information is sent to the server whenever a subscriber logs in or logs out and whenever a subscriber activates or deactivates a subscription.
  • Vendor Specific Attributes (VSAs)—Supports the Juniper-Switching-Filter attribute on the RADIUS authentication server that can be used further define a supplicant's access during the 802.1X authentication process. Centrally configuring VSAs on the authentication server does away with the need to configure these same attributes in the form of firewall filters on every switch in the LAN to which the supplicant may connect to the LAN. This feature is based on RLI 4583, AAA RADIUS BRAS VSA Support.

Supported Features Related to 802.1X Authentication

802.1X does not replace other security technologies. 802.1X works together with port security features, such as DHCP snooping, dynamic ARP inspection (DAI), and MAC limiting, to guard against spoofing.

Supported features related to authentication include:

Published: 2009-07-21

[an error occurred while processing this directive]