Juniper JUNOS 10.1 - CONFIGURATION GUIDE 1-2010 Configuration Manual page 842

JUNOS 10.1 Network Interfaces Configuration Guide
Understanding the Administrative State of the Authenticator Port
The administrative state of an authenticator port can take any of the following three
states:
In JUNOS Software, the default mode is "automatic." The "force authorized" and
"force unauthorized" admin modes are not supported. You can achieve the
functionality of "force authorized" mode by disabling
You can achieve the functionality of "force unauthorized" mode by disabling the port
itself.
Understanding the Administrative Mode of the Authenticator Port
JUNOS Software supports the supplicant mode "single" and not the "single secure"
nor "multiple" modes. The "Single" mode option authenticates only the first client
that connects to a port. All other clients that connect later (802.1x compliant or
noncompliant) are allowed free access on that port without any further authentication.
If the first authenticated client logs out, all other users are locked out until a client
authenticates again.
Configuring the Authenticator
To configure the IEEE 802.1x Port-Based Network Access Control protocol on Ethernet
interfaces you must configure the
hierarchy level. Use the
specify the authenticating RADIUS server, and use the
and configure the Gigabit Ethernet or Fast Ethernet interface on the router specifically
for IEEE 802.1x protocol use; both at the
level.
772
Understanding the Administrative State of the Authenticator Port
Force authorized—Allows network access to all users of the port without requiring
them to be authenticated. This is equivalent to not having any authentication
enabled on the port.
Force unauthorized—Denies network access to all users of the port. This is
equivalent to disabling the port.
Automatic—This is the default mode where the authentication server response
determines if the port is opened for traffic or not. Only the successfully
authenticated clients are allowed access, all others are denied.
authentication-profile-name access-profile-name
[edit protocols dot1x]
authenticator {
authentication-profile-name access-profile-name;
interface (xe-fpc/pic/port | ge-fpc/pic/port | fe-fpc/pic/port) {
maximum-requests seconds;
quiet-period seconds;
reauthentication (disable | interval seconds);
retries integer;
server-timeout seconds;
supplicant (single);
dot1x
statement at the
authenticator
interface
[edit protocols dot1x authenticator]
on the required port.
[edit protocols dot1x]
statement to
statement to specify
hierarchy