Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

authentication-order (Authenticator)

Syntax

Hierarchy Level

Description

Configure the preferred order of authentication methods that the device will use when attempting to authenticate a client. If multiple authentication methods are configured on a single interface, when one authentication method fails, the device falls back to another method. You can configure the authentication-order statement to specify whether 802.1X authentication or MAC RADIUS authentication must be the first authentication method tried.

By default, the device attempts to authenticate a client by using 802.1X authentication first. If 802.1X authentication fails because there is no response from the client, and MAC RADIUS authentication is configured on the interface, the device falls back to MAC RADIUS authentication. If MAC RADIUS fails, and captive portal is configured on the device, the device falls back to captive portal.

Configuring MAC RADIUS authentication as the first method can help prevent the fallback timeout period which occurs after an 802.1X authentication attempt is made for a host that does not support 802.1X authentication. If MAC RADIUS authentication is configured as the first authentication method on an interface, then on receiving data from any client on that interface, the device attempts to authenticate the client by using MAC RADIUS authentication. If MAC RADIUS authentication fails, then the device falls back to 802.1X authentication. If 802.1X authentication fails, and captive portal is configured on the interface, the device falls back to captive portal.

802.1X authentication always has the highest priority, even if a client has been authenticated using another method. If the device receives an EAP packet from a client that has been authenticated using MAC RADIUS authentication, the device acknowledges the EAP packet and upgrades the authentication using 802.1X authentication credentials. Similarly, if a client has been authenticated through fallback to captive portal, and the device receives an EAP packet from that client, the device attempts to authenticate the client by using 802.1X authentication.

The device attempts authentication using only methods that are configured on the interface. If an authentication method is included in the authentication order, but is not configured on the interface, the device ignores that method and attempts authentication using the next method in the order that is enabled. However, if a method is enabled on the interface, but is not included in the authentication order, the device does not attempt using that method. For example, if captive portal is enabled for an interface, but the authentication order is configured as [mac-radius dot1x], the authentication method for that interface does not fall back to captive portal.

The authentication order can be configured for all interfaces by using the interface all option. If the authentication order is configured for an individual interface, and there is also an authentication order configured for all interfaces, then the order for the individual interface is followed. If there is no authentication order configured for an individual interface, and there is an authentication order configured for all interfaces, then the configuration for all interfaces is followed.

Use the following guidelines when configuring the authentication-order statement:

  • The authentication order must include at least two methods of authentication.

  • 802.1X authentication must be one of the methods included in the authentication order.

  • If captive portal is included in the authentication order, it must be the last method in the order.

  • If mac-radius-restrict is configured on an interface, then the authentication order cannot be configured.

The valid combinations for authentication-order are as follows:

  • [dot1x mac-radius captive-portal]

  • [dot1x captive-portal]

  • [dot1x mac-radius]

  • [mac-radius dot1x captive-portal]

Default

If authentication-order is not configured, the device attempts to authenticate the client by using 802.1X authentication first, followed by MAC RADIUS authentication, and then captive portal, as follows:

  1. 802.1X authentication—If 802.1X is configured on the interface, the device sends EAPoL requests to the end device and attempts to authenticate the end device through 802.1X authentication. If the end device does not respond to the EAP requests, the device checks whether MAC RADIUS authentication is configured on the interface.

  2. MAC RADIUS authentication—If MAC RADIUS authentication is configured on the interface, the device sends the MAC RADIUS address of the end device to the authentication server. If MAC RADIUS authentication is not configured, the device checks whether captive portal is configured on the interface.

  3. Captive portal authentication—If captive portal is configured on the interface, the device attempts to authenticate the end device by using this method after attempting any other configured authentication methods.

Options

captive-portal—Configure captive portal authentication in the order of authentication methods on the interface.

dot1x—Configure 802.1X authentication in the order of authentication methods on the interface.

mac-radius—Configure MAC RADIUS authentication in the order of authentication methods on the interface.

Required Privilege Level

routing—To view this statement in the configuration.routing-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 15.1R3.

Related Documentation