mac-radius
Syntax
mac-radius {
authentication-protocol {
eap-md5;
eap-peap {
resume;
}
pap;
}
flap-on-disconnect;
restrict;
}
Hierarchy Level
[edit protocols dot1x authenticator interface interface-name]
Description
Configure MAC RADIUS authentication for specific interfaces. MAC RADIUS authentication allows LAN access to permitted MAC addresses. When a new MAC address appears on an interface, the device consults the RADIUS server to check whether the MAC address is a permitted address. If the MAC address is configured on the RADIUS server, the device is allowed access to the LAN.
If MAC RADIUS is configured, the device first tries to get a response from the host for 802.1X authentication. If the host is unresponsive, the device attempts to authenticate using MAC RADIUS.
To restrict authentication to MAC RADIUS only, use the restrict option. In restrictive mode, all 802.1X packets are
eliminated and the attached device on the interface is considered
a nonresponsive host.
Options
| flap-on-disconnect | (Optional) When the RADIUS server sends a disconnect message to a
supplicant, the device resets the interface on which the supplicant
is authenticated. If the interface is configured for multiple supplicant
mode, the device resets all the supplicants on the specified interface.
This option takes effect only when the |
| restrict | (Optional)
Restricts authentication to MAC RADIUS only. When |
The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.
Required Privilege Level
routing—To view this statement in the configuration.routing-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 9.3.
flap-on-disconnect introduced in Junos OS Release
9.4.