Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
external-header-nav
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS User Access and Authentication Administration Guide for Junos OS Configuring IEEE 802.1x Port-Based Network Access Control in Enhanced LAN Mode

User Access and Authentication Administration Guide for Junos OS

Junos OS Junos OS Evolved
keyboard_arrow_up
close
keyboard_arrow_left
User Access and Authentication Administration Guide for Junos OS
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Specifying RADIUS Server Connections on an MX Series Router in Enhanced LAN Mode

date_range 30-Nov-23
arrow_backward
arrow_forward

IEEE 802.1X and MAC RADIUS authentication both provide network edge security, protecting Ethernet LANs from unauthorized user access by blocking all traffic to and from devices at the interface until the supplicant's credentials or MAC address are presented and matched on the authentication server (a RADIUS server). When the supplicant is authenticated, the router stops blocking access and opens the interface to the supplicant.

Starting with Junos OS Release 14.2, to use 802.1X or MAC RADIUS authentication, you must specify the connections on the router for each RADIUS server to which you will connect.

To configure a RADIUS server on the router:

  1. Define the IP address of the RADIUS server, the RADIUS server authentication port number, and the secret password. You can define more than one RADIUS server. The secret password on the router must match the secret password on the server:
    content_copy zoom_out_map
    [edit access]
user@router# set radius-server 10.0.0.100 port 1812 secret abc
    Note:

    Specifying the authentication port is optional, and port 1812 is the default. However, we recommend that you configure it in order to avoid confusion as some RADIUS servers might refer to an older default.

  2. (Optional) Specify the IP address by which the router is identified by the RADIUS server. If you do not specify this, the RADIUS server uses the address of the interface sending the RADIUS request. We recommend that you specify this IP address because if the request gets diverted on an alternate route to the RADIUS server, the interface relaying the request might not be an interface on the router.
    content_copy zoom_out_map
    [edit access]
user@router# set radius-server source-address 10.93.14.100
  3. Configure the authentication order, making radius the first method of authentication:
    content_copy zoom_out_map
    [edit access]
user@router# set profile profile1 authentication-order radius
  4. Create a profile and specify the list of RADIUS servers to be associated with the profile. For example, you might choose to group your RADIUS servers geographically by city. This feature enables easy modification whenever you want to change to a different sent of authentication servers.
    content_copy zoom_out_map
    [edit access profile]
user@router# set atlanta radius authentication-server 10.0.0.100 10.2.14.200
  5. Specify the group of servers to be used for 802.1X or MAC RADIUS authentication by identifying the profile name:
    content_copy zoom_out_map
    [edit access profile]
user@router# set protocols authentication-access-control authentication-profile-name denver
  6. Configure the IP address of the MX Series router in the list of clients on the RADIUS server. For specifics on configuring the RADIUS server, consult the documentation for your server.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
14.2
Starting with Junos OS Release 14.2, to use 802.1X or MAC RADIUS authentication, you must specify the connections on the router for each RADIUS server to which you will connect.
arrow_backward PREVIOUS Authentication Process Flow for MX Series Routers in Enhanced LAN Mode
NEXT arrow_forward Configuring Captive Portal Authentication on MX Series Routers in Enhanced LAN Mode
external-footer-nav