Example: Connecting a RADIUS Server for 802.1X to an MX Series Router
802.1X is the IEEE standard for Port-Based Network Access Control (PNAC). You use 802.1X to control network access. Only users and devices providing credentials that have been verified against a user database are allowed access to the network. Starting with Junos OS Release 14.2, you can use a RADIUS server as the user database for 802.1X authentication, as well as for MAC RADIUS authentication.
This example describes how to connect a RADIUS server to an MX Series router, and configure it for 802.1X:
Requirements
This example uses the following hardware and software components:
Junos OS Release 14.2 or later for MX240, MX480, or MX960 routers running in enhanced LAN mode and Junos OS Release 14.2R3 for all other routers.
One router acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
One RADIUS authentication server that supports 802.1X. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.
Before you connect the server to the router, be sure you have:
Configured enhanced LAN mode on the router.
Performed basic bridging and VLAN configuration on the router.
Configured users on the RADIUS authentication server.
Overview and Topology
The MX Series router acts as an authenticator Port Access Entity (PAE). It blocks all traffic and acts as a control gate until the supplicant (client) is authenticated by the server. All other users and devices are denied access.
Consider an MX Series router that functions as an authenticator port. It is connected using the interface, ge-0/0/10, over the IP network to a RADIUS server. The router is also linked to a conference room using the interface, ge-0/0/1, to a printer using the interface, ge-0/0/20, to a hub using the interface, ge-0/0/8, and to two supplicants or clients over interfaces, ge-0/0/2 and ge-0/0/9 respectively.
Property | Settings |
---|---|
Router hardware |
MX Series router |
VLAN name |
default |
One RADIUS server |
Backend database with an address of 10.0.0.100 connected to the switch at port ge-0/0/10 |
In this example, connect the RADIUS server to access port ge-0/0/10 on the MX Series router. The switch acts as the authenticator and forwards credentials from the supplicant to the user database on the RADIUS server. You must configure connectivity between the MX Series router and the RADIUS server by specifying the address of the server and configuring the secret password. This information is configured in an access profile on the switch.
Configuration
Procedure
CLI Quick Configuration
To quickly connect the RADIUS server to the switch, copy the following commands and paste them into the switch terminal window:
[edit] set access radius-server 10.0.0.100 secret juniper set access radius-server 10.0.0.200 secret juniper set access profile profile1 authentication-order radius set access profile profile1 radius authentication-server [10.0.0.100 10.0.0.200]
Step-by-Step Procedure
To connect the RADIUS server to the switch:
Define the address of the servers, and configure the secret password. The secret password on the switch must match the secret password on the server:
[edit] user@switch# set access radius-server 10.0.0.100 secret juniper user@switch# set access radius-server 10.0.0.200 secret juniper
Configure the authentication order, making radius the first method of authentication:
[edit] user@switch# set access profile profile1 authentication-order radius
Configure a list of server IP addresses to be tried in order to authenticate the supplicant:
[edit] user@switch# set access profile profile1 radius authentication-server [10.0.0.100 10.0.0.200]
Results
Display the results of the configuration:
user@switch> show configuration access radius-server { 10.0.0.100 port 1812; secret "$9$qPT3ApBSrv69rvWLVb.P5"; ## SECRET-DATA } } profile profile1{ authentication-order radius; radius { authentication-server 10.0.0.100 10.0.0.200; } } }
Verification
To confirm that the configuration is working properly, perform these tasks:
Verify That the Switch and RADIUS Server are Properly Connected
Purpose
Verify that the RADIUS server is connected to the switch on the specified port.
Action
Ping the RADIUS server to verify the connection between the switch and the server:
user@switch> ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100): 56 data bytes
64 bytes from 10.93.15.218: icmp_seq=0 ttl=64 time=9.734 ms
64 bytes from 10.93.15.218: icmp_seq=1 ttl=64 time=0.228 ms
Meaning
ICMP echo request packets are sent from the switch to the target server at 10.0.0.100 to test whether it is reachable across the IP network. ICMP echo responses are being returned from the server, verifying that the switch and the server are connected.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.