- play_arrow Login Classes and Login Settings
- play_arrow User Accounts
- play_arrow Passwords for User Access
- play_arrow Trusted Platform Module
- play_arrow User Authentication
- play_arrow Remote Access Management
- play_arrow Access Control
- Access Control Authentication Methods
- Preventing Unauthorized Access to EX Series Switches Using Unattended Mode for U-Boot
- Preventing Unauthorized Access to EX Series Switches Using Unattended Mode for U-Boot
- RADIUS Server Configuration for Authentication
- RADIUS over TLS (RADSEC)
- 802.1X Authentication
- MAC RADIUS Authentication
- Service-Type Attribute and Jumbo Frame Handling Overview
- 802.1X and RADIUS Accounting
- Example: Setting Up 802.1X for Single-Supplicant or Multiple-Supplicant Configurations on an EX Series Switch
- Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX Series Switch
- Interfaces Enabled for 802.1X or MAC RADIUS Authentication
- Static MAC Bypass of 802.1X and MAC RADIUS Authentication
- Configuring PEAP for MAC RADIUS Authentication
- Captive Portal Authentication
- Flexible Authentication Order on EX Series Switches
- Server Fail Fallback and Authentication
- Authentication Session Timeout
- Central Web Authentication
- Dynamic VLAN Assignment for Colorless Ports
- VoIP on EX Series Switches
- play_arrow Configuring IEEE 802.1x Port-Based Network Access Control
- play_arrow Device Discovery
- play_arrow Domain Name Security
- play_arrow Permission Flags
- access
- access-control
- admin
- admin-control
- all
- clear
- configure
- control
- field
- firewall
- firewall-control
- floppy
- flow-tap
- flow-tap-control
- flow-tap-operation
- idp-profiler-operation
- interface
- interface-control
- maintenance
- network
- pgcp-session-mirroring
- pgcp-session-mirroring-control
- reset
- rollback
- routing
- routing-control
- secret
- secret-control
- security
- security-control
- shell
- snmp
- snmp-control
- system
- system-control
- trace
- trace-control
- view
- view-configuration
- play_arrow Configuration Statements and Operational Commands
Configuring Server Fail Fallback on MX Series Routers in Enhanced LAN Mode
Starting with Junos OS Release 14.2, server fail fallback allows you to specify how end devices connected to the router are supported if the RADIUS authentication server becomes unavailable or sends a RADIUS access-reject message.
802.1X and MAC RADIUS authentication work by using an authenticator port access entity (the router) to block all traffic to and from an end device at the interface until the end device's credentials are presented and matched on the authentication server (a RADIUS server). When the end device has been authenticated, the router stops blocking and opens the interface to the end device.
When you set up 802.1X or MAC RADIUS authentication on the router, you specify a primary authentication server and one or more backup authentication servers. If the primary authentication server cannot be reached by the router and the secondary authentication servers are also unreachable, a RADIUS server timeout occurs. Because the authentication server grants or denies access to the end devices awaiting authentication, the router does not receive access instructions for end devices attempting access to the LAN and normal authentication cannot be completed. Server fail fallback allows you to configure authentication alternatives that permit the router to take appropriate actions toward end devices awaiting authentication or reauthentication.
The authentication fallback method called server-reject VLAN provides limited access to a LAN, typically just to the Internet, for responsive end devices that are 802.1X-enabled but that have sent the wrong credentials. If the end device that is authenticated using the server-reject VLAN is an IP phone, voice traffic is not allowed.
To configure basic server fail fallback options using the CLI:
Configure an interface to allow traffic to flow from a supplicant to the LAN if a RADIUS server timeout occurs (as if the end device had been successfully authenticated by a RADIUS server):
content_copy zoom_out_map[edit protocols authentication-access-control] user@router# set interface ge-0/0/1 dot1x server-fail permit
Configure an interface to prevent traffic flow from an end device to the LAN (as if the end device had failed authentication and had been rejected by the RADIUS server):
content_copy zoom_out_map[edit protocols authentication-access-control] user@router# set interface ge-0/0/1 dot1x server-fail deny
Configure an interface to move an end device to a specified VLAN if a RADIUS server timeout occurs (in this case, the VLAN name is vlan1):
content_copy zoom_out_map[edit protocols authentication-access-control] user@router# set interface ge-0/0/1 dot1x server-fail vlan-name vlan1
Configure an interface to recognize already connected end devices as reauthenticated if there is a RADIUS timeout during reauthentication (new users will be denied access):
content_copy zoom_out_map[edit protocols authentication-access-control] user@router# set interface ge-0/0/1 dot1x server-fail use-cache
Configure an interface that receives a RADIUS access-reject message from the authentication server to move end devices attempting LAN access on the interface to a specified VLAN already configured on the router (in this case, the VLAN name is vlan-sf):
content_copy zoom_out_map[edit protocols authentication-access-control] user@router# set interface ge-0/0/1 dot1x server-reject-vlan vlan-sf
Note:If an IP phone is authenticated in the server-reject VLAN, voice traffic is not allowed.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
