• Downloads
• Understanding Server Fail Fallback and 802.1X Authentication on EX Series Switches    

• Related Topics
• 802.1X for EX Series Switches Overview
• Example: Configuring 802.1X Authentication Options When the RADIUS Server is Unavailable to an EX Series Switch
• Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations on an EX Series Switch
• Configuring 802.1X Interface Settings (CLI Procedure)

Understanding Server Fail Fallback and 802.1X Authentication on EX Series Switches

Server fail fallback allows you to specify how 802.1X supplicants (hosts) connected to the switch are supported if the RADIUS authentication server becomes unavailable or sends an Extensible Authentication Protocol Over LAN (EAPOL) Access-Reject message.

Juniper Networks EX Series Ethernet Switches use 802.1X authentication to implement access control in an enterprise network. Supplicants are evaluated at the initial connection to your LAN by an authentication server. If the supplicant is configured on the authentication server, the supplicant is granted access to the LAN and the EX Series switch opens the interface to the supplicant to permit access.

A RADIUS server timeout occurs if no RADIUS authentication servers are reachable when a supplicant logs in and attempts to access the LAN. Server fail fallback allows you to specify one of four actions to be taken towards supplicants awaiting authentication when the server is timed out:

• Permit authentication, allowing traffic to flow from the supplicant through the interface as if the supplicant were successfully authenticated by the RADIUS server.
• Deny authentication, preventing traffic from flowing from the supplicant through the interface. This is the default.
• Move the supplicant to a specified VLAN. (The VLAN must already exist on the switch.)
• Sustain authenticated supplicants that already have LAN access and deny unauthenticated supplicants. If the RADIUS servers time out during reauthentication, previously authenticated supplicants are reauthenticated and new users are denied LAN access.

Server fail fallback is triggered most often during reauthentication when the already configured and in-use RADIUS server becomes inaccessible. However, server fail fallback can also be triggered by a supplicant’s first attempt at authentication through the RADIUS server.

Server fail fallback also allows you to specify that a supplicant be moved to a specified VLAN if the switch receives an EAPOL Accept-Reject message. The configured VLAN name overrides any attributes sent by the server.