- play_arrow Login Classes and Login Settings
- play_arrow User Accounts
- play_arrow Passwords for User Access
- play_arrow Trusted Platform Module
- play_arrow User Authentication
- play_arrow Remote Access Management
- play_arrow Configuring IEEE 802.1x Port-Based Network Access Control
- play_arrow Configuring IEEE 802.1x Port-Based Network Access Control in Enhanced LAN Mode
- 802.1X for MX Series Routers in Enhanced LAN Mode Overview
- Understanding 802.1X and LLDP and LLDP-MED on MX Series Routers in Enhanced LAN Mode
- Understanding 802.1X and RADIUS Accounting on MX Series Routers in Enhanced LAN Mode
- Understanding 802.1X and VoIP on MX Series Routers in Enhanced LAN Mode
- Understanding Guest VLANs for 802.1X on MX Series Routers in Enhanced LAN Mode
- Understanding Dynamic VLANs for 802.1X on MX Series Routers in Enhanced LAN Mode
- Understanding Server Fail Fallback and Authentication on MX Series Routers in Enhanced LAN Mode
- Configuring 802.1X RADIUS Accounting on MX Series Routers in Enhanced LAN Mode
- Configuring 802.1X Interface Settings on MX Series Routers in Enhanced LAN Mode
- Configuring LLDP-MED on MX Series Routers in Enhanced LAN Mode
- Configuring LLDP on MX Series Routers in Enhanced LAN Mode
- Configuring Server Fail Fallback on MX Series Routers in Enhanced LAN Mode
- Understanding Captive Portal Authentication on the MX Series Routers
- Understanding Authentication Session Timeout on MX Series Routers
- Authentication Process Flow for MX Series Routers in Enhanced LAN Mode
- Specifying RADIUS Server Connections on an MX Series Router in Enhanced LAN Mode
- Configuring Captive Portal Authentication on MX Series Routers in Enhanced LAN Mode
- Designing a Captive Portal Authentication Login Page on an MX Series Router
- Configuring Static MAC Bypass of Authentication on MX Series Routers in Enhanced LAN Mode
- Controlling Authentication Session Timeouts on an MX Series Router in Enhanced LAN Mode
- Configuring MAC RADIUS Authentication on MX Series Routers in Enhanced LAN Mode
- Example: Configuring MAC RADIUS Authentication on an MX Series Router
- Example: Setting Up Captive Portal Authentication on an MX Series Router
- Example: Connecting a RADIUS Server for 802.1X to an MX Series Router
- Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an MX Series Router
- Example: Configuring Static MAC Bypass of Authentication on an MX Series Router
- Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS Authentication on MX Series Routers
- play_arrow Device Discovery
- play_arrow Domain Name Security
- play_arrow Permission Flags
- access
- access-control
- admin
- admin-control
- all
- clear
- configure
- control
- field
- firewall
- firewall-control
- floppy
- flow-tap
- flow-tap-control
- flow-tap-operation
- idp-profiler-operation
- interface
- interface-control
- maintenance
- network
- pgcp-session-mirroring
- pgcp-session-mirroring-control
- reset
- rollback
- routing
- routing-control
- secret
- secret-control
- security
- security-control
- shell
- snmp
- snmp-control
- system
- system-control
- trace
- trace-control
- view
- view-configuration
- play_arrow Configuration Statements and Operational Commands
RADIUS over TLS (RADSEC)
To use 802.1X or MAC RADIUS authentication, you must specify the connections on the switch for each RADIUS server to which you will connect. RADIUS over TLS is designed to provide secure communication of RADIUS requests using the Transport Secure Layer (TLS) protocol. RADIUS over TLS, also known as RADSEC, redirects regular RADIUS traffic to remote RADIUS servers connected over TLS. RADSec allows RADIUS authentication, authorization and accounting data to be passed safely across untrusted networks.
RADSEC uses TLS in combination with the Transmission Control Protocol (TCP). This transport profile provides stronger security than the User Datagram Protocol (UDP) which was originally used for RADIUS transmission. RADIUS over UDP encrypts the shared secret password using the MD5 algorithm, which is vulnerable to attacks. RADSEC mitigates the risk of attacks on MD5 by exchanging RADIUS packet payloads over an encrypted TLS tunnel.
Due to limitations of the TCP protocol, RADSEC can have no more than 255 RADIUS messages in flight.
Configure the RADSEC Destination
RADSEC servers are represented by RADSEC destination objects. To configure RADSEC, you must define the RADSEC server as a destination, and direct RADIUS traffic to that destination.
You define the RADSEC server as a destination using the radsec statement at the [edit access] hierarchy level.
RADSEC destinations are identified by a unique numeric ID. You can configure
multiple RADSEC destinations with different parameters pointing to the same
RADSEC server.
To redirect traffic from a standard RADIUS server to a RADSEC server, associate
the RADIUS server with a RADSEC destination. For example, the RADIUS server
10.1.1.1
is associated with RADSEC destination 10:
access {
radius-server 10.1.1.1 {
secret zzz;
radsec-destination 10;
}
}
You can also associate the RADIUS server with a RADSEC destination inside an
access profile. For example, RADIUS server
10.2.2.2
in profile acc_profile is associated with RADSEC destination
10:
access {
profile acc_profile {
secret zzz;
radsec-destination 10;
}
}
You can redirect more than one RADIUS server to the same RADSEC destination.
To configure RADSEC:
Configure TLS Connection Parameters
The TLS connection provides encryption, authentication, and data integrity for the exchange of RADIUS messages. TLS relies on certificates and private-public key exchange pairs to secure the transmission of data between the RADSEC client and server. The RADSEC destination uses local certificates that are dynamically acquired from the Junos PKI infrastructure.
To enable RADSEC, you must specify the name of the local certificate. For information on configuring the local certificate and certificate authority (CA), see Configuring Digital Certificates.
Example: Simple RADSEC Configuration
The following example is a simple RADSEC configuration with one RADIUS server and one RADSEC destination. RADIUS traffic is redirected from RADIUS server 10.1.1.1 to RADSEC destination 10.
access {
radius-server 10.1.1.1 {
secret zzz;
radsec-destination 10;
}
radsec {
destination 10 {
address 10.10.1.1;
max-tx-buffers 1000;
id-reuse-timeout 30;
port 1777;
source-address 10.1.1.2;
tls-certificate my_cert;
tls-min-version { v1.1 | v1.2 };
tls-peer-name x0.radsec.com
tls-timeout 10;
}
}
}
