Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

802.1X for MX Series Routers in Enhanced LAN Mode Overview

Starting with Junos os Release 14.2, IEEE 802.1X provides network edge security, protecting Ethernet LANs from unauthorized user access. Support is implemented for controlling access to your network through an MX Series router by using several different authentication methods, such as 802.1X, MAC RADIUS, or a captive portal.

This functionality is supported on the following MPCs on MX240, MX480, and MX960 routers in enhanced LAN mode:

  • MPC4E with two 100-Gigabit Ethernet ports and eight 10-Gigabit Ethernet ports

  • MPC4E with thirty-two 10-Gigabit Ethernet ports

  • MPC3E that contains a 2-port 40-Gigabit Ethernet MIC with QSFP+

  • MPC1E with forty 1-Gigabit Ethernet ports or twenty 1-Gigabit Ethernet ports

You must reboot the router when you configure or delete the enhanced LAN mode on the router. Configuring the network-services lan option implies that the system is running in the enhanced IP mode. When you configure a device to function in MX-LAN mode, only the supported configuration statements and operational show commands that are available for enabling or viewing in this mode are displayed in the CLI interface. If your system contains parameters that are not supported in MX-LAN mode in a configuration file, you cannot commit those unsupported attributes. You must remove the settings that are not supported and then commit the configuration. After the successful CLI commit, a system reboot is required for the attributes to be come effective. Similarly, if you remove the network-services lan statement, the system does not run in MX-LAN mode. Therefore, all of the settings that are supported outside of the MX-LAN mode are displayed and are available for definition in the CLI interface. If your configuration file contains settings that are supported only in MX-LAN mode, you must remove those attributes before you commit the configuration. After the successful CLI commit, a system reboot will be required for the CLI settings to take effect. The Layer 2 Next-Generation CLI configuration settings are supported in MX-LAN mode. As a result, the typical MX Series-format of CLI configurations might differ in MX-LAN mode.

This functionality is supported on an MX Series Virtual Chassis combination that functions in enhanced LAN mode (by entering the network-services lan statement at the [edit chassis] hierarchy level). Port-based network access control is supported on MX240, MX480, and MX960 routers with MPCs in both the MX-LAN mode and the non-MX-LAN mode (with other supported network services modes on MPCs on these routers). To configure the IEEE 802.1x port-based network access control (PNAC) protocol on Ethernet interfaces, you must configure the authenticator statement at the [edit protocols authentication-access- control] hierarchy level. You can also configure captive portal authentication on a router so that users connected to the switch are authenticated before being allowed to access the network. You can also configure Junos Pulse Access Control Service as the access policy to authenticate and authorize users connected to the switch for admission to the network and for access to protected network resources by using the uac-policy statement.

How 802.1X Authentication Works

802.1X authentication works by using an Authenticator Port Access Entity (the switch) to block all traffic to and from a supplicant (end device) at the port until the supplicant's credentials are presented and matched on the Authentication server (a RADIUS server). When authenticated, the switch stops blocking traffic and opens the port to the supplicant.

The end device is authenticated in either single mode, single-secure mode, or multiple mode:

  • single—Authenticates only the first end device. All other end devices that connect later to the port are allowed full access without any further authentication. They effectively “piggyback” on the end devices’ authentication.

  • single-secure—Allows only one end device to connect to the port. No other end device is allowed to connect until the first logs out.

  • multiple—Allows multiple end devices to connect to the port. Each end device will be authenticated individually.

Network access can be further defined using VLANs and firewall filters, which both act as filters to separate and match groups of end devices to the areas of the LAN they require. For example, you can configure VLANs to handle different categories of authentication failures depending upon:

  • Whether or not the end device is 802.1X-enabled.

  • Whether or not MAC RADIUS authentication has been configured on the switch interfaces to which the hosts are connected.

  • Whether the RADIUS authentication server becomes unavailable or sends a RADIUS access-reject message. See Configuring RADIUS Server Fail Fallback (CLI Procedure).

802.1X Features Overview

Note:

The 802.1X features available on the MX Series routers depend upon which switch you are using.

802.1X features on Juniper Networks MX Series routers are:

  • Guest VLAN—Provides limited access to a LAN, typically just to the Internet, for nonresponsive end devices that are not 802.1X-enabled when MAC RADIUS authentication has not been configured on the switch interfaces to which the hosts are connected . Also, a guest VLAN can be used to provide limited access to a LAN for guest users. Typically, the guest VLAN provides access just to the Internet and to other guests’ end devices.

  • Server-reject VLAN—Provides limited access to a LAN, typically just to the Internet, for responsive end devices that are 802.1X-enabled but that have sent the wrong credentials.

  • Server-fail VLAN—Provides limited access to a LAN, typically just to the Internet, for 802.1X end devices during a RADIUS server timeout.

  • Dynamic VLAN—Enables an end device, after authentication, to be a member of a VLAN dynamically.

  • Private VLAN—Enables configuration of 802.1X authentication on interfaces that are members of private VLANs (PVLANs).

  • Dynamic changes to a user session—Allows the switch administrator to terminate an already authenticated session. This feature is based on support of the RADIUS Disconnect Message defined in RFC 3576.

  • RADIUS accounting—Sends accounting information to the RADIUS accounting server. Accounting information is sent to the server whenever a subscriber logs in or logs out and whenever a subscriber activates or deactivates a subscription.

Supported Features Related to 802.1X Authentication

802.1X does not replace other security technologies. 802.1X works together with port security features, such as DHCP snooping, dynamic ARP inspection (DAI), and MAC limiting, to guard against spoofing.

Supported features related to authentication include:

  • Static MAC bypass—Provides a bypass mechanism to authenticate devices that are not 802.1X-enabled (such as printers). Static MAC bypass connects these devices to 802.1X-enabled ports, bypassing 802.1X authentication.

  • MAC RADIUS authentication—Provides a means to enable or disable MAC authentication independently of whether 802.1X authentication is enabled.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
14.2
Starting with Junos os Release 14.2, IEEE 802.1X provides network edge security, protecting Ethernet LANs from unauthorized user access. Support is implemented for controlling access to your network through an MX Series router by using several different authentication methods, such as 802.1X, MAC RADIUS, or a captive portal.