multi-domain
Syntax
multi-domain { max-data-session max-data-sessions; packet-action (drop-and-log | shutdown); recovery-timeout seconds; }
Hierarchy Level
[edit logical-systems name protocols dot1x authenticator interface], [edit protocols dot1x authenticator interface]
Description
Configure multi-domain authentication to restrict the number of authenticated data and VoIP sessions on the port. Multi-domain authentication is an extension of multiple supplicant mode for 802.1X authentication, and is designed to support VoIP and data clients on the same interface. The interface is divided into two domains; one is the data domain and the other is the voice domain.
In multiple supplicant mode, any number of VoIP or data sessions can be authenticated; the number of sessions can be restricted using MAC limiting, but there is no way to apply the limit specifically to either data or VoIP sessions. Multi-domain authentication maintains separate session counts based on the domain type.
The data device can be authenticated using 802.1X authentication or MAC RADIUS authentication. Multi-domain authentication does not enforce the order of authentication. For best results, the VoIP device should be authenticated before the data device.
You can configure the maximum number of authenticated data sessions
allowed on the interface using the max-data-session
statement.
The number of VoIP sessions is not configurable; only one authenticated
VoIP session is allowed.
If a new client attempts to authenticate on the interface after
the maximum session count has been reached, the default action is
to drop the packet and generate an error log message. You can also
configure the action to shut down the interface. The port can be manually
recovered from the down state by issuing the clear
dot1x recovery-timeout
command, or can recover automatically
after a recovery timeout period. To configure automatic recovery,
use the recovery-timeout
option.
Options
max-data-session max-data-sessions | The maximum number of authenticated data sessions allowed in the data domain on the 802.1X-enabled interface.
|
packet-action (drop-and-log | shutdown) | Specify the action the device should take on packets
that exceed the limit of authenticated sessions allowed on the interface.
The limit for data sessions is configured using the
|
recovery-timeout seconds | If you configure the packet action with the shutdown option and you configure the recovery timeout, the interface is temporarily disabled when the maximum number of authenticated sessions is reached. The interface will recover automatically after the number of seconds specified.
|
The default values of these optional parameters will be enforced when multi-domain is configured.
Required Privilege Level
routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 18.3R1.