Table of Contents
Advertisement
Captive Portal Authentication
Copyright © 2010, Juniper Networks, Inc.
The EAP method supported for MAC RADIUS authentication on EX Series switches is
EAP-MD5.
If both 802.1X-enabled end devices and end devices that are not 802.1X-enabled connect
to an interface, you can configure both 802.1X and MAC RADIUS authentication methods
on the interface. In this case, the switch first attempts to authenticate using 802.1X, and
if that method fails, it attempts to authenticate the end device using MAC RADIUS
authentication.
If you know that only non-802.1X-enabled end devices connect on that interface, you
can eliminate the delay that occurs while the switch determines that the end device is
non-802.1X-enabled by configuring the
configured, the switch does not attempt to authenticate the end device through 802.1X
but instead immediately sends a request to the RADIUS server for authentication of the
MAC address of the end device. If the MAC address of an end device is configured as
permitted on the RADIUS server, the switch opens LAN access to the end device on the
interface to which it is connected.
This option is useful when no other 802.1X authentication methods, such as guest VLAN,
are needed on the interface. When you configure
eliminate this delay, the switch drops all 802.1X packets.
Captive portal authentication (hereafter referred to as captive portal) allows you to
authenticate users on EX Series switches by redirecting Web browser requests to a login
page that requires users to input a username and password before they are allowed
access to the network. Captive portal controls network access by requiring users to
provide information that is authenticated against a RADIUS server database using
EAP-MD5. You can also use captive portal to display an acceptable-use policy to users
before they access your network.
Juniper Networks Junos operating system (Junos OS) for EX Series switches provides a
template that allows you to easily design and modify the look of the captive portal login
page. You enable specific interfaces for captive portal. The first time an end device
connected to a captive portal interface attempts to access a web page, the switch
presents the captive portal login page. Upon successful authentication, the user is allowed
access to the network and to continue to the original page requested.
NOTE: If Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)
is enabled, Hypertext Transfer Protocol (HTTP) requests are redirected to
an HTTPS connection for the captive portal authentication process. After
authentication, the end device is returned to the HTTP connection.
If there are end devices that are not HTTP-enabled connected to the captive portal
interface, you can allow them to bypass captive portal authentication by adding their
MAC addresses to an authentication whitelist.
Chapter 81: 802.1X and MAC RADIUS Authentication Overview
option. When this option is
mac-radius restrict
mac-radius restrict
on an interface to
2529
Advertisement
Chapters
Table of Contents
Troubleshooting
