authenticator
Syntax
authenticator {
authentication-profile-name access-profile-name;
interface (all | [ interface-names ]) {
authentication-order (captive-portal | dot1x | mac-radius);
disable;
guest-bridge-domain guest-bridge-domain;
guest-vlan guest-vlan;
ignore-port-bounce;
mac-radius {
authentication-protocol {
eap-md5;
eap-peap {
resume;
}
pap;
}
flap-on-disconnect;
restrict;
}
maximum-requests number;
multi-domain {
max-data-session max-data-session;
packet-action (drop-and-log | shutdown);
recovery-timeout seconds;
}
(no-reauthentication | reauthentication interval );
no-tagged-mac-authentication;
quiet-period seconds;
redirect-url redirect-url;
retries (802.1X) number;
server-fail (bridge-domain bridge-domain | deny | permit | use-cache | vlan-name vlan-name);
server-fail-voip (deny | permit | use-cache | vlan-name vlan-name);
server-reject-bridge-domain bridge-domain {
block-interval seconds;
eapol-block;
}
server-reject-vlan (vlan-id | vlan-name) {
block-interval block-interval;
eapol-block;
}
server-timeout seconds;
supplicant (single | single-secure | multiple);
supplicant-timeout seconds;
transmit-period seconds;
}
ip-mac-session-binding;
no-mac-table-binding;
radius-options {
add-interface-text-description;
use-vlan-id;
use-vlan-name;
}
static mac-address {
bridge-domain-assignment bridge-domain-assignment;
interface interface;
vlan-assignment vlan-identifier;
}
}
Description
Specify the group of servers to be used for IEEE 802.1X or MAC RADIUS authentication for Port-Based Network Access Control, configure interfaces for 802.1x authentication, and configure static MAC bypass for 802.1x and MAC RADIUS authentication. 802.1X authentication is supported on interfaces that are members of private VLANs (PVLANs).
You cannot configure 802.1X user authentication on interfaces that have been enabled for Q-in-Q tunneling.
Default
802.1X authentication is disabled.
Options
| authentication-profile-name access-profile-name | Specify the name of the access profile to be used for 802.1X or MAC RADIUS user authentication. The access profile is configured at the [edit access profile] hierarchy level and contains the RADIUS server IP address and other information used for authentication. Note:
Access profile configuration is required only for 802.1X clients, not for static MAC clients.
|
| ip-mac-session-binding | Configure the switching device to check for an IP-MAC address binding in the DHCP, DHCPv6, or SLAAC snooping table before terminating the authentication session when the MAC address ages out. If the MAC address for the end device is bound to an IP address, then it will be retained in the Ethernet switching table, and the authentication session will remain active. To configure this feature, you must also disassociate the authentication
session table from the Ethernet switching table using the Note:
This feature requires DHCP, DHCPv6, or SLAAC snooping to be enabled on the device.
|
| no-mac-table-binding | Specify that the device not remove the session from the authentication session table when the MAC address ages out of the Ethernet switching table.
|
The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.
Required Privilege Level
routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 9.0.
no-mac-table-binding introduced in Junos OS Release
11.1.
radius-options introduced in Junos OS Release 12.1.
add-interface-text-description introduced in Junos
OS Release 18.4.
ip-mac-session-binding introduced in Junos OS Release
20.2R1.