Juniper JUNOS OS 10.3 - SOFTWARE Manual page 2670

Complete Software Guide for Junos
Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants Using RADIUS
Server Attributes on an EX Series Switch
Requirements
2574
®
OS for EX Series Ethernet Switches, Release 10.3
You can use RADIUS server attributes and a port firewall filter to centrally apply terms
to multiple supplicants (end devices) connected to an EX Series switch in your enterprise.
Terms are applied after a device is successfully authenticated through 802.1X.
EX Series switches support port firewall filters. Port firewall filters are configured on a
single EX Series switch, but in order for them to operate throughout an enterprise, they
have to be configured on multiple switches. To reduce the need to configure the same
port firewall filter on multiple switches, you can instead apply the filter centrally on the
RADIUS server using RADIUS server attributes.
The following example uses FreeRADIUS to apply a port firewall filter on a RADIUS server.
For specifics on configuring your server, consult the documentation that was included
with your RADIUS server.
This example describes how to configure a port firewall filter with terms, create counters
to count packets for the supplicants, apply the filter to user profiles on the RADIUS server,
and display the counters to verify the configuration:
Requirements on page 2574
Overview and Topology on page 2575
Configuring the Port Firewall Filter and Counters on page 2577
Applying the Port Firewall Filter to the Supplicant User Profiles on the RADIUS
Server on page 2579
Verification on page 2580
This example uses the following hardware and software components:
Junos OS Release 9.3 or later for EX Series switches
One EX Series switch acting as an authenticator port access entity (PAE). The ports
on the authenticator PAE form a control gate that blocks all traffic to and from
supplicants until they are authenticated.
One RADIUS authentication server. The authentication server acts as the backend
database and contains credential information for hosts (supplicants) that have
permission to connect to the network.
Before you connect the server to the switch, be sure you have:
Set up a connection between the switch and the RADIUS server. See "Example:
Connecting a RADIUS Server for 802.1X to an EX Series Switch" on page 2545.
Configured 802.1X authentication on the switch, with the authentication mode for
interface ge-0/0/2 set to
Procedure)" on page 2609 and "Example: Setting Up 802.1X for Single Supplicant or
Multiple Supplicant Configurations on an EX Series Switch" on page 2568.
multiple . See "Configuring 802.1X Interface Settings (CLI
Copyright © 2010, Juniper Networks, Inc.