Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an MX Series Router
Starting with Junos OS Release 14.2, 802.1X on MX Series routers provides LAN access to users who do not have credentials in the RADIUS database.These users, referred to as guests, are authenticated and typically provided with access to the Internet.
This example describes how to create a guest VLAN and configure 802.1X authentication for it.
Requirements
This example uses the following hardware and software components:
Junos OS Release 14.2 or later for MX240, MX480, or MX960 routers running in enhanced LAN mode.
One router acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
One RADIUS authentication server that supports 802.1X. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.
Before you connect the server to the router, be sure you have:
Configured enhanced LAN mode on the router.
Performed basic bridging and VLAN configuration on the router.
Configured users on the RADIUS authentication server.
Overview and Topology
The MX Series router acts as an authenticator Port Access Entity (PAE). It blocks all traffic and acts as a control gate until the supplicant (client) is authenticated by the server. All other users and devices are denied access.
Consider an MX Series router that functions as an authenticator port. It is connected using the interface, ge-0/0/10, over the IP network to a RADIUS server. The router is also linked to a conference room using the interface, ge-0/0/1, to a printer using the interface, ge-0/0/20, to a hub using the interface, ge-0/0/8, and to two supplicants or clients over interfaces, ge-0/0/2 and ge-0/0/9 respectively.
| Property | Settings |
|---|---|
Router hardware |
MX Series router |
VLAN name |
default |
One RADIUS server |
Backend database with an address of 10.0.0.100 connected to the switch at port ge-0/0/10 |
In this example, access interface ge-0/0/1 provides LAN connectivity in the conference room. Configure this access interface to provide LAN connectivity to visitors in the conference room who are not authenticated by the corporate VLAN.
Configuration of a Guest VLAN That Includes 802.1X Authentication
Procedure
CLI Quick Configuration
To quickly configure a guest VLAN, with 802.1X authentication, copy the following commands and paste them into the switch terminal window:
[edit] set vlans bridge-domain-name vlan-id 300 set protocols dot1x authenticator interface all guest-bridge-domain bridge-domain-name
Step-by-Step Procedure
To configure a guest VLAN that includes 802.1X authentication on MX Series routers:
Configure the VLAN ID for the guest VLAN:
[edit] user@switch# set bridge-domains bridge-domain-name vlan-id 300
Configure the guest VLAN under dot1x protocols:
[edit] user@switch# set protocols dot1x authenticator interface all guest-bridge-domain bridge-domain-name
Results
Check the results of the configuration:
user@switch> show configuration
protocols {
dot1x {
authenticator {
interface {
all {
guest-bridge-domain {
bridge-domain-name;
}
}
}
}
}
}
}
bridge-domains {
bridge-domain-name {
vlan-id 300;
}
}
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That the Guest VLAN is Configured
Purpose
Verify that the guest VLAN is created and that an interface has failed authentication and been moved to the guest VLAN.
Action
Use the operational mode commands:
user@switch> show bridge-domain
Instance Bridging Domain Type
Primary Table Active
vs1 dynamic bridge
bridge.0 2
vs1 guest bridge
bridge.0 0
vs1 guest-vlan bridge
bridge.0 0
vs1 vlan_dyn bridge
bridge.0 0
user@switch> show dot1x interface ge-0/0/1.0 detail
ge-0/0/1.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Single
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Mac Radius: Enabled
Mac Radius Restrict: Disabled
Reauthentication: Enabled
Configured Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPOL requests: 2
Guest VLAN member: guest-vlan
Number of connected supplicants: 1
Supplicant: user1, 00:00:00:00:13:23
Operational state: Authenticated
Authentication method: Radius
Authenticated VLAN: vo11
Dynamic Filter: match source-dot1q-tag 10 action deny
Session Reauth interval: 60 seconds
Reauthentication due in 50 seconds
Meaning
The output from the show bridge domain command
shows bridge-domain-name as the name of the VLAN and the VLAN ID as 300.
The output from the show dot1x interface ge-0/0/1.0 detail command displays the bridge domain name , indicating that a supplicant
at this interface failed 802.1X authentication and was passed through
to the bridge-domain-name.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.