Understanding MAC RADIUS Authentication on EX Series Switches
You can configure MAC RADIUS authentication on interfaces of a Juniper Networks EX Series Ethernet Switch to which hosts that are not 802.1X-enabled are connected. You can configure both MAC RADIUS authentication and 802.1X authentication on the same interface, or you can configure either authentication method alone. You can also configure a static MAC bypass list on the switch to specify MAC addresses allowed on the switch without authentication (see Configuring Static MAC Bypass of Authentication (CLI Procedure)).
If 802.1X and MAC RADIUS authentication are both enabled on an interface, the switch first sends an EAPOL request to the connecting host to attempt 802.1X authentication. If the host is an 802.1X-enabled device, it responds and the switch relays a request for authentication to the RADIUS server. If the switch has sent three requests to the client and has received no response, the switch sends a request to the RADIUS server for authentication of the MAC address of the host. (The number of times the switch tries to get an EAPOL response can be configured as can the timeout period between attempts.)
If MAC RADIUS is enabled on an interface and 802.1X is not enabled (by using the mac-radius restrict option), there is no delay while the switch attempts to authenticate the host through 802.1X. Instead, the switch immediately sends a request to the RADIUS server for authentication of the MAC address of the host. If the MAC address of a host is configured as permitted on the RADIUS server, the switch opens LAN access to the host on the switch interface to which it is connected.
Use the mac-radius restrict configuration if you know that only non-802.1X-enabled hosts will connect to an interface and you want to eliminate the delay that occurs while the switch determines that a connected device is a non-802.1X-enabled host. This option is useful when no other 802.1X authentication methods, such as guest VLAN, are needed on the interface. When you configure the mac-radius restrict on an interface to eliminate this delay, the switch drops all 802.1X packets. See Configuring MAC RADIUS Authentication (CLI Procedure).