Juniper JUNOS OS 10.3 - SOFTWARE Manual page 2694

Complete Software Guide for Junos
Requirements
Overview and Topology
2598
®
OS for EX Series Ethernet Switches, Release 10.3
This example describes how dynamic firewall filters are created for multiple supplicants
on an 802.1X-enabled interface (the same principles shown in this example apply to
interfaces enabled for MAC RADIUS authentication):
Requirements on page 2598
Overview and Topology on page 2598
Configuration on page 2600
Verification on page 2602
This example uses the following hardware and software components:
Junos OS Release 9.5 or later for EX Series switches
One EX Series switch
One RADIUS authentication server. The authentication server acts as the backend
database and contains credential information for hosts (supplicants) that have
permission to connect to the network.
Before you apply firewall filters to an interface for use with multiple supplicants, be sure
you have:
Set up a connection between the switch and the RADIUS server. See "Example:
Connecting a RADIUS Server for 802.1X to an EX Series Switch" on page 2545.
Configured 802.1X authentication on the switch, with the authentication mode for
interface set to
ge-0/0/2
Procedure)" on page 2609 and "Example: Setting Up 802.1X for Single Supplicant or
Multiple Supplicant Configurations on an EX Series Switch" on page 2568.
Configured users on the RADIUS authentication server.
When the 802.1X configuration on an interface is set to multiple supplicant mode, the
system dynamically combines interface firewall filter with the user policies sent to the
switch from the RADIUS server during authentication and creates separate terms for
each user. Because there are separate terms for each user authenticated on the interface,
you can, as shown in this example, use counters to view the activities of individual users
that are authenticated on the same interface.
When a new user (or a nonresponsive host) is authenticated on an interface, the system
adds a term to the firewall filter associated with the interface, and the term (policy) for
each user is associated with the MAC address of the user. The term for each user is based
on the user-specific filters set on the RADIUS server and the filters configured on the
interface. For example, as shown in Figure 59 on page 2599, when User1 is authenticated
by the EX Series switch, the system creates the firewall filter
When User2 is authenticated, another term is added to the firewall filter, and so on.
. See "Configuring 802.1X Interface Settings (CLI
multiple
dynamic-filter-example
Copyright © 2010, Juniper Networks, Inc.
.