- play_arrow Login Classes and Login Settings
- play_arrow User Accounts
- play_arrow Passwords for User Access
- play_arrow Trusted Platform Module
- play_arrow User Authentication
- play_arrow Remote Access Management
- play_arrow Access Control
- Access Control Authentication Methods
- Preventing Unauthorized Access to EX Series Switches Using Unattended Mode for U-Boot
- Preventing Unauthorized Access to EX Series Switches Using Unattended Mode for U-Boot
- RADIUS Server Configuration for Authentication
- RADIUS over TLS (RADSEC)
- 802.1X Authentication
- MAC RADIUS Authentication
- Service-Type Attribute and Jumbo Frame Handling Overview
- 802.1X and RADIUS Accounting
- Example: Setting Up 802.1X for Single-Supplicant or Multiple-Supplicant Configurations on an EX Series Switch
- Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX Series Switch
- Interfaces Enabled for 802.1X or MAC RADIUS Authentication
- Static MAC Bypass of 802.1X and MAC RADIUS Authentication
- Configuring PEAP for MAC RADIUS Authentication
- Captive Portal Authentication
- Flexible Authentication Order on EX Series Switches
- Server Fail Fallback and Authentication
- Authentication Session Timeout
- Central Web Authentication
- Dynamic VLAN Assignment for Colorless Ports
- VoIP on EX Series Switches
- play_arrow Configuring IEEE 802.1x Port-Based Network Access Control
- play_arrow Device Discovery
- play_arrow Domain Name Security
- play_arrow Permission Flags
- access
- access-control
- admin
- admin-control
- all
- clear
- configure
- control
- field
- firewall
- firewall-control
- floppy
- flow-tap
- flow-tap-control
- flow-tap-operation
- idp-profiler-operation
- interface
- interface-control
- maintenance
- network
- pgcp-session-mirroring
- pgcp-session-mirroring-control
- reset
- rollback
- routing
- routing-control
- secret
- secret-control
- security
- security-control
- shell
- snmp
- snmp-control
- system
- system-control
- trace
- trace-control
- view
- view-configuration
- play_arrow Configuration Statements and Operational Commands
Configuring MAC RADIUS Authentication on MX Series Routers in Enhanced LAN Mode
Starting with Junos OS Release 14.2, you can permit devices that are not 802.1X-enabled LAN access by configuring MAC RADIUS authentication on the MX Series router interfaces to which the hosts are connected.
You can also allow non-802.1X-enabled devices to access the LAN by configuring their MAC address for static MAC bypass of authentication.
You can configure MAC RADIUS authentication on an interface that also allows 802.1X authentication, or you can configure either authentication method alone.
If both MAC RADIUS and 802.1X authentication are enabled on the interface, the router first sends the host three EAPOL requests to the host. If there is no response from the host, the router sends the host’s MAC address to the RADIUS server to check whether it is a permitted MAC address. If the MAC address is configured as permitted on the RADIUS server, the RADIUS server sends a message to the router that the MAC address is a permitted address, and the router opens LAN access to the nonresponsive host on the interface to which it is connected.
If MAC RADIUS authentication is configured on the interface but 802.1X authentication is not (by using the mac-radius restrict option), the router attempts to authenticate the MAC address with the RADIUS server without delaying by attempting 802.1X authentication first.
Before you configure MAC RADIUS authentication, be sure you have:
Configured basic access between the MX Series router and the RADIUS server.
Configured MX240, MX480, and MX960 routers to function in enhanced LAN mode by entering the
network-services lanstatement at the[edit chassis]hierarchy level.
To configure MAC RADIUS authentication using the CLI:
On the router, configure the interfaces to which the nonresponsive hosts are attached for MAC RADIUS authentication, and add the restrict qualifier for interface ge-0/0/20 to have it use only MAC RADIUS authentication:
content_copy zoom_out_map[edit] user@router# set protocols authentication-access-control interface ge-0/0/19 dot1x mac-radius user@router# set protocols authentication-access-control interface ge-0/0/20 dot1x mac-radius restrict
On a RADIUS authentication server, create user profiles for each nonresponsive host using the MAC address (without colons) of the nonresponsive host as the username and password (here, the MAC addresses are 00:04:0f:fd:ac:fe and 00:04:ae:cd:23:5f):
content_copy zoom_out_map[root@freeradius]# edit /etc/raddb vi users 00040ffdacfe Auth-type:=Local, User-Password = "00040ffdacfe" 0004aecd235f Auth-type:=Local, User-Password = "0004aecd235f"
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
