Example: Configuring MAC RADIUS Authentication on an MX Series Router
Starting with Junos OS Release 14.2 to permit hosts that are not 802.1X-enabled to access the LAN, you can configure MAC RADIUS authentication on the router interfaces to which the non-802.1X-enabled hosts are connected. When MAC RADIUS authentication is configured, the router will attempt to authenticate the host with the RADIUS server using the host’s MAC address.
This example describes how to configure MAC RADIUS authentication for two non-802.1X-enabled hosts:
Requirements
This example uses the following hardware and software components:
Junos OS Release 14.2 or later for MX240, MX480, or MX960 routers running in enhanced LAN mode.
An MX Series router acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
A RADIUS authentication server. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.
Before you connect the server to the router, be sure you have:
Configured enhanced LAN mode on the router.
Performed basic bridging and VLAN configuration on the router.
Configured users on the RADIUS authentication server.
Overview and Topology
IEEE 802.1X Port-Based Network Access Control (PNAC) authenticates and permits devices access to a LAN if the devices can communicate with the router using the 802.1X protocol (are 802.1X-enabled). To permit non-802.1X-enabled end devices to access the LAN, you can configure MAC RADIUS authentication on the interfaces to which the end devices are connected. When the MAC address of the end device appears on the interface, the router consults the RADIUS server to check whether it is a permitted MAC address. If the MAC address of the end device is configured as permitted on the RADIUS server, the router opens LAN access to the end device.
You can configure both MAC RADIUS authentication and 802.1X authentication methods on an interface configured for multiple supplicants. Additionally, if an interface is only connected to a non-802.1X-enabled host, you can enable MAC RADIUS and not enable 802.1X authentication using the mac-radius restrict option, and thus avoid the delay that occurs while the router determines that the device is does not respond to EAP messages.
Two printers are connected to an MX Series router over interfaces, ge-0/0/19 and ge-0/0/20.
Table 1 shows the components in the example for MAC RADIUS authentication.
| Property | Settings |
|---|---|
Router hardware |
Ports (ge-0/0/0 through ge-0/0/23) |
VLAN name |
sales |
Connections to printers |
ge-0/0/19, MAC address 00040ffdacfe ge-0/0/20, MAC address 0004aecd235f |
RADIUS server |
Connected to the router on interface ge-0/0/10 |
The printer with the MAC address 00040ffdacfe is connected to
access interface ge-0/0/19. A second printer with the MAC address
0004aecd235f is connected to access interface ge-0/0/20. In this example,
both interfaces are configured for MAC RADIUS authentication on the
router, and the MAC addresses (without colons) of both printers are
configured on the RADIUS server. Interface ge-0/0/20 is configured
to eliminate the normal delay while the router attempts 802.1X authentication;
MAC RADIUS authentication is enabled and 802.1X authentication is
disabled using the mac radius restrict option.
Topology
Configuration
Procedure
CLI Quick Configuration
To quickly configure MAC RADIUS authentication, copy the following commands and paste them into the router terminal window:
[edit] set protocols authentication-access-control interface ge-0/0/19 dot1x mac-radius set protocols authentication-access-control authenticator interface ge-0/0/20 dot1x mac-radius restrict
You must also configure the two MAC addresses as usernames and passwords on the RADIUS server, as is done in step 2 of the Step-by-Step Procedure.
Step-by-Step Procedure
Configure MAC RADIUS authentication on the router and on the RADIUS server:
On the router, configure the interfaces to which the printers are attached for MAC RADIUS authentication, and configure the restrict option on interface ge-0/0/20, so that only MAC RADIUS authentication is used:
[edit] user@router# set protocols authentication-access-control interface ge-0/0/19 dot1x mac-radius user@router# set protocols authentication-access-control authenticator interface ge-0/0/20 dot1x mac-radius restrictOn the RADIUS server, configure the MAC addresses 00040ffdacfe and 0004aecd235f as usernames and passwords:
[root@freeradius]# edit /etc/raddb vi users 00040ffdacfe Auth-type:=EAP, User-Password = "00040ffdacfe" 0004aecd235f Auth-type:=EAP, User-Password = "0004aecd235f"
Results
Display the results of the configuration on the router:
user@router> show configuration
protocols {
authentication-access-control {
authentication-profile-name profile52;
interface {
ge-0/0/19.0 {
dot1x {
mac-radius;
}
}
ge-0/0/20.0 {
dot1x {
mac-radius {
restrict;
}
}
}
}
}
}
Verification
Verify that the supplicants are authenticated:
Verifying That the Supplicants Are Authenticated
Purpose
After supplicants are configured for MAC RADIUS authentication on the router and on the RADIUS server, verify that they are authenticated and display the method of authentication:
Action
Display information about 802.1X-configured interfaces ge-0/0/19 and ge-0/0/20:
user@router> show dot1x interface ge-0/0/19.0 detail
ge-0/0/19.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Single
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Mac Radius: Enabled
Mac Radius Restrict: Disabled
Reauthentication: Enabled
Configured Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPOL requests: 2
Guest VLAN member: <not configured>
Number of connected supplicants: 1
Supplicant: user101, 00:04:0f:fd:ac:fe
Operational state: Authenticated
Authentication method: Radius
Authenticated VLAN: vo11
Dynamic Filter: match source-dot1q-tag 10 action deny
Session Reauth interval: 60 seconds
Reauthentication due in 50 seconds
user@router> show dot1x interface ge-0/0/20.0 detail
ge-0/0/20.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Single
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Mac Radius: Enabled
Mac Radius Restrict: Enabled
Reauthentication: Enabled
Configured Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPOL requests: 2
Guest VLAN member: <not configured>
Number of connected supplicants: 1
Supplicant: user102, 00:04:ae:cd:23:5f
Operational state: Authenticated
Authentcation method: Radius
Authenticated VLAN: vo11
Dynamic Filter: match source-dot1q-tag 10 action deny
Session Reauth interval: 60 seconds
Reauthentication due in 50 seconds
Meaning
The sample output from the show dot1x interface
detail command displays the MAC address of the connected end
device in the Supplicant field. On interface ge-0/0/19, the
MAC address is 00:04:0f:fd:ac:fe, which is the MAC address
of the first printer configured for MAC RADIUS authentication. The Authentication method field displays the authentication method
as MAC Radius. On interface ge-0/0/20, the MAC address
is 00:04:ae:cd:23:5f, which is the MAC address of the second
printer configured for MAC RADIUS authentication. The Authentication
method field displays the authentication method as MAC Radius.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.