interface (802.1X)

Configure either a list of interface names or all interfaces for 802.1x authentication.

Disable 802.1X authentication on a specified interface or all interfaces.

• Default: 802.1X authentication is disabled on all interfaces.

(MX Series only) Specify the bridge domain tag identifier or the name of the guest bridge domain to which an interface is moved when no 802.1X supplicants are connected on the interface. The bridge domain specified must already exist on the device.

(EX or QFX Series) Specify the GBP tag to apply when an interface is moved to a guest VLAN. If the guest-gbp-tag is configured and the client authenticates in guest VLAN, then the configured guest-gbp-tag filter is also installed for the client. You can only configure the guest-gbp-tag when the guest-vlan vlan-id option is configured.

• Range: 1 through 65535.

(EX, QFX, and SRX Series only) Specify the VLAN tag identifier or the name of the guest VLAN to which an interface is moved. The VLAN specified must already exist on the device. Guest VLANs can be configured on devices that are using 802.1X authentication to provide limited access—typically only to the Internet—for corporate guests. A guest VLAN is not used for supplicants that send incorrect credentials. Those supplicants are directed to the server-reject VLAN instead.

Ignore the port-bounce command contained in a Change of Authorization (CoA) request. CoA requests are RADIUS messages that are used to dynamically modify an authenticated user session already in progress. CoA requests are sent from the authentication, authorization, and accounting (AAA) server to the device, and are typically used to change the VLAN for the host based on device profiling. End devices such as printers do not have a mechanism to detect the VLAN change, so they do not renew the lease for their DHCP address in the new VLAN. The port-bounce command is used to force the end device to initiate DHCP re-negotiation by causing a link flap on the authenticated port.

• Default: The port-bounce command is supported by default. If you do not configure the ignore-port-bounce statement, the device responds to a port-bounce command by flapping the link to re-initiate DHCP negotiation for the end device.

Specify the maximum number of times an EAPoL request packet is retransmitted to the supplicant before the authentication session times out.

• Range: 1 through 10

• Default: 2

Either disable reauthentication or configure the number of seconds before the 802.1X authentication session times out and the client must reattempt authentication.

• Range: 1 through 65,535 seconds

• Default: Reauthentication is enabled, with 3600 seconds until the client can attempt to authenticate again.

Don’t allow a tagged MAC address for RADIUS authentication.

Specify the number of seconds the interface remains in the wait state following a failed authentication attempt by a supplicant before reattempting authentication.

• Range: 0 through 65,535 seconds

• Default: 60 seconds

Specify a URL that redirects unauthenticated hosts to a central Web authentication (CWA) server. The CWA server provides a web portal where the user can enter a username and password. If these credentials are validated by the CWA server, the user is authenticated and is allowed access to the network.

The redirect URL for central Web authentication can be configured centrally on the AAA server or locally on the switch. Use the redirect-url statement to configure the redirect URL locally on the interface connecting the host to the switch.

The redirect URL and a dynamic firewall filter must both be present for the central Web authentication process to be triggered. For more information about configuring the redirect URL and the dynamic firewall filter for central Web authentication, see Configuring Central Web Authentication.

• Syntax: The redirect URL must use the HTTP or HTTPS protocol and include an IP address or website name. The following are examples of valid redirect URL formats:

  • http://www.example.com

  • https://www.example.com

  • http://10.10.10.10

  • https://10.10.10.10

  • http://www.example.com/login.html

  • https://www.example.com/login.html

  • http://10.10.10.10/login.html

  • https://10.10.10.10/login.html

• Default: Disabled. The redirect URL is not enabled for central Web authentication by default.

Configure the authentication server to retry sending an EAP request to the supplicant. This can help prevent a timeout of the authentication session due to an unresponsive supplicant. The number of retries is based on the configured value.

• Range: 1 through 10 retries

• Default: 2 retries

Keep the IEEE 802.1X clients active even after their MAC addresses age out, and relearn the MAC addresses again.

• Default: Disabled.

Specify the number of times the device attempts to authenticate the port after an initial failure. When the limit is exceeded, the port waits to reattempt authentication for the number of seconds specified with the quiet-period option configured at the same hierarchy level.

• Range: 1 through 10 retries

• Default: 3 retries

Specify how end devices connected to a device are supported if the RADIUS authentication server becomes unavailable. Server fail fallback is triggered most often during reauthentication when the already configured and in-use RADIUS server becomes inaccessible. However, server fail fallback can also be triggered by a supplicant’s initial attempt at authentication through the RADIUS server.

You must specify an action that the device applies to end devices when the authentication servers are unavailable. The device can accept or deny access to supplicants or maintain the access already granted to supplicants before the RADIUS timeout occurred. You can also configure the switch to move the supplicants to a specific VLAN or bridge domain. The VLAN or bridge domain must already be configured on the device.

• Values: bridge-domain—(MX Series only) Move the supplicant on the interface to the bridge domain specified by this name or numeric identifier. This action is allowed only if it is the first supplicant connecting to an interface. If an authenticated supplicant is already connected, then the supplicant is not moved to the bridge domain and is not authenticated. The bridge domain must already be configured on the device.

  deny—Force the supplicant authentication to fail. No traffic will flow through the interface.

  permit—Force the supplicant authentication to succeed. Traffic will flow through the interface as if it were successfully authenticated by the RADIUS server.

  use-cache—Force the supplicant authentication to succeed only if it was previously authenticated successfully. This action ensures that already authenticated supplicants are not affected.

  vlan-name—(EX, QFX, or SRX Series only) Move the supplicant on the interface to the VLAN specified by this name or numeric identifier. This action is allowed only if it is the first supplicant connecting to the interface. If an authenticated supplicant is already connected, then the supplicant is not moved to the VLAN and is not authenticated. The VLAN must already be configured on the device.

• Default: If the RADIUS authentication server becomes unavailable, the end device is not authenticated and is denied access to the network.

• gbp-tag gbp-tag—(EX or QFX Series) Specify the GBP tag to apply on the interface when the server is inaccessible. If you configure the gbp-tag gbp-tag and the client authenticates in server-fail vlan-name or server-fail permit, then the configured gbp-tag gbp-tag filter is also installed for the client.

  You can only configure this option when the server-fail vlan-name or server-fail permit option is configured.

  Range: 1 through 65535.

(EX, QFX Series only) Specify how VoIP clients sending voice traffic are supported if the RADIUS authentication server becomes unavailable. Server fail fallback is triggered most often during reauthentication when the already configured and in-use RADIUS server becomes inaccessible. However, server fail fallback can also be triggered by a VoIP client’s initial attempt at authentication through the RADIUS server.

You must specify an action that the switch applies to VoIP clients when the authentication servers are unavailable. The switch can accept or deny access to VoIP clients or maintain the access already granted to clients before the RADIUS timeout occurred. You can also configure the switch to move the VoIP clients to a specific VLAN. The VLAN must already be configured on the switch.

The server-fail-voip statement is specific to the VoIP-tagged traffic sent by clients. VoIP clients still require that the server-fail statement be configured for the un-tagged traffic that they generate. Therefore, when you configure the server-fail-voip statement you must also configure the server-fail statement.

• Values: deny—Force the VoIP client authentication to fail. No traffic will flow through the interface.

  permit—Force the VoIP client authentication to succeed. Traffic will flow through the interface as if it were successfully authenticated by the RADIUS server.

  use-cache—Force the VoIP client authentication to succeed only if it was previously authenticated successfully. This action ensures that already authenticated clients are not affected.

  vlan-name—Move the VoIP client on the interface to the VLAN specified by this name or numeric identifier. This action is allowed only if it is the first VoIP client connecting to the interface. If an authenticated VoIP client is already connected, then the VoIP client is not moved to the VLAN and is not authenticated. The VLAN must already be configured on the switch.

• Default: If a RADIUS authentication server becomes unavailable, a VoIP client that begins authentication by sending voice traffic is not authenticated, and the voice traffic is dropped.

Specify the amount of time a port will wait for a reply when relaying a response from the supplicant to the authentication server before timing out and invoking the server-fail action.

• Range: 1 through 60 seconds

• Default: 30 seconds

Specify the MAC-based method used to authenticate clients.

• Values: Specify one of the following:

  • single—Authenticates only the first client that connects to an authenticator port. All other clients connecting to the authenticator port after the first are permitted free access to the port without further authentication. If the first authenticated client logs out, all other supplicants are locked out until a client authenticates again.

  • single-secure—Authenticates only one client to connect to an authenticator port. The host must be directly connected to the switch.

  • multiple—Authenticates multiple clients individually on one authenticator port. You can configure the number of clients per port. If you also configure a maximum number of devices that can be connected to a port through port security settings, the lower of the configured values is used to determine the maximum number of clients allowed per port.

• Default: single

Specify the number of seconds the port waits for a response when relaying a request from the authentication server to the supplicant before re-sending the request.

• Range: 1 through 60 seconds

• Default: 30 seconds

Specify the number of seconds the port waits before retransmitting the initial EAPoL PDUs to the supplicant.

• Range: 1 through 65,535 seconds

• Default: 30 seconds