Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX Series Switch
802.1X on EX Series switches provides LAN access to users who do not have credentials in the RADIUS database. These users, referred to as guests, are authenticated and typically provided with access to the Internet.
This example describes how to create a guest VLAN and configure 802.1X authentication for it.
Requirements
This example uses the following software and hardware components:
This example also applies to QFX5100 switches.
Junos OS Release 9.0 or later for EX Series switches
One EX Series switch acting as a port access entity (PAE). The interfaces on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
One RADIUS authentication server that supports 802.1X. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.
Before you configure guest VLAN authentication, be sure you have:
Performed the initial switch configuration. See Connecting and Configuring an EX Series Switch (CLI Procedure).
Performed basic bridging and VLAN configuration on the switch. See the documentation that describes setting up basic bridging and a VLAN for your switch. If you are using a switch that supports the Enhanced Layer 2 Software (ELS) configuration style, see Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch with ELS Support or Example: Setting Up Basic Bridging and a VLAN on Switches. For all other switches, see Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch.
Note:For more about ELS, see: Using the Enhanced Layer 2 Software CLI
Overview and Topology
As part of IEEE 802.1X port-based network access control (PNAC), you can provide limited network access to supplicants who do not belong to a VLAN authentication group by configuring authentication for a guest VLAN. Typically, guest VLAN access is used to provide Internet access to visitors to a corporate site. However, you can also use the guest VLAN feature to provide access to a VLAN with limited resources to supplicants that fail 802.1X authentication on a corporate LAN.
This figure also applies to QFX5100 switches.
Topology
Figure 1 shows the conference room connected to the switch at interface ge-0/0/1.
| Property | Settings |
|---|---|
Switch hardware |
EX4200 switch, 24 Gigabit Ethernet interfaces: 8 PoE interfaces (ge-0/0/0 through ge-0/0/7) and 16 non-PoE interfaces (ge-0/0/8 through ge-0/0/23) |
VLAN names and tag IDs |
sales, tag 100support, tag 200 guest-vlan, tag 300 |
One RADIUS server |
Backend database connected to the switch through interface ge-0/0/10 |
In this example, access interface ge-0/0/1 provides LAN connectivity in the conference room. Configure this access interface to provide LAN connectivity to visitors in the conference room who are not authenticated by the corporate VLAN.
Configuration of a Guest VLAN That Includes 802.1X Authentication
Procedure
CLI Quick Configuration
To quickly configure a guest VLAN, with 802.1X authentication, copy the following commands and paste them into the switch terminal window:
[edit] set vlans guest-vlan vlan-id 300 set protocols dot1x authenticator interface all guest-vlan guest-vlan
Step-by-Step Procedure
To configure a guest VLAN that includes 802.1X authentication on an EX Series switch:
Configure the VLAN ID for the guest VLAN:
[edit] user@switch# set vlans guest-vlan vlan-id 300
Configure the guest VLAN under dot1x protocol:
[edit] user@switch# set protocols dot1x authenticator interface all guest-vlan guest-vlan
Results
Check the results of the configuration:
user@switch> show configuration
protocols {
dot1x {
authenticator {
interface {
all {
guest-vlan {
guest-vlan;
}
}
}
}
}
}
vlans {
guest-vlan {
vlan-id 300;
}
}
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That the Guest VLAN Is Configured
Purpose
Verify that the guest VLAN is created and that an interface has failed authentication and been moved to the guest VLAN.
On switches running Junos OS for EX Series with support
for ELS, the output for the show vlans command will contain
additional information. If your switch runs software that supports
ELS, see show vlans. For ELS details, see Using the Enhanced Layer 2 Software CLI.
Action
Issue the operational mode commands:
user@switch> show vlans
Name Tag Interfaces
default
ge-0/0/3.0*
dynamic 40
None
guest 30
None
guest—vlan 300
ge-0/0/1.0*
vlan_dyn
None
user@switch> show dot1x interface ge-0/0/1.0 detail
ge-0/0/1.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Single
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Mac Radius: Enabled
Mac Radius Restrict: Disabled
Reauthentication: Enabled
Configured Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPOL requests: 2
Guest VLAN member: guest-vlan
Number of connected supplicants: 1
Supplicant: user1, 00:00:00:00:13:23
Operational state: Authenticated
Authentication method: Guest VLAN
Authenticated VLAN: guest-vlan
Dynamic Filter: match source-dot1q-tag 10 action deny
Session Reauth interval: 60 seconds
Reauthentication due in 50 seconds
Meaning
The output of the show vlans command shows guest-vlan as the name of the VLAN and the VLAN ID as 300.
The output of the show dot1x interface ge-0/0/1.0 detail command displays the Guest VLAN membership field, indicating
that a supplicant at this interface failed 802.1X authentication and
was passed through to the guest-vlan.