Configuring Ieee 802.1X Port-Based Network Access Control; Ieee 802.1X Port-Based Network Access Control Overview; Understanding The Administrative State Of The Authenticator Port; Understanding The Administrative Mode Of The Authenticator Port - Juniper JUNOS 10.1 - CONFIGURATION GUIDE 1-2010 Configuration Manual

Chapter 45
Configuring IEEE 802.1x Port-Based
Network Access Control

IEEE 802.1x Port-Based Network Access Control Overview

IEEE 802.1x Port-Based Network Access Control Overview on page 771
Understanding the Administrative State of the Authenticator Port on page 772
Understanding the Administrative Mode of the Authenticator Port on page 772
Configuring the Authenticator on page 772
Viewing the dot1x Configuration on page 773
MX Series routers support the IEEE 802.1x Port-Based Network Access Control (dot1x)
protocol on Ethernet interfaces for validation of client and user credentials to prevent
unauthorized access to a specified router port. Before authentication is complete,
only 802.1x control packets are allowed and forwarded to the router control plane
for processing. All other packets are dropped.
Authentication methods used must be 802.1x compliant. Authentication using RADIUS
and Microsoft Active Directory servers is supported. The following user/client
authentication methods are allowed:
EAP-MD5 (RFC 3748)
EAP-TTLS requires a server certificate (RFC 2716)
EAP-TLS requires a client and server certificate
PEAP requires only a server certificate
You can use both client and server certificates in all types of authentication except
EAP-MD5.
NOTE: On the MX Series router, 802.1x can be enabled on bridged ports only and
not on routed ports.
Dynamic changes to a user session are supported to allow the router administrator
to terminate an already authenticated session by using the "RADIUS disconnect"
message defined in RFC 3576.
IEEE 802.1x Port-Based Network Access Control Overview
771