Juniper JUNOS OS 10.3 - SOFTWARE Manual page 2711

Configuring Server Fail Fallback (CLI Procedure)
Copyright © 2010, Juniper Networks, Inc.
Server fail fallback allows you to specify how end devices connected to the switch are
supported if the RADIUS authentication server becomes unavailable or sends an Extensible
Authentication Protocol Over LAN (EAPOL) access-reject message.
802.1X and MAC RADIUS authentication work by using an authenticator port access entity
(the EX Series switch) to block all traffic to and from an end device at the interface until
the end device's credentials are presented and matched on the authentication server (a
RADIUS server). When the end device has been authenticated, the switch stops blocking
and opens the interface to the end device.
When you set up 802.1X or MAC RADIUS authentication on the switch, you specify a
primary authentication server and one or more backup authentication servers. If the
primary authentication server cannot be reached by the switch and the secondary
authentication servers are also unreachable, a RADIUS server timeout occurs. Because
the authentication server grants or denies access to the end devices awaiting
authentication, the switch does not receive access instructions for end devices attempting
access to the LAN and normal authentication cannot be completed. Server fail fallback
allows you to configure authentication alternatives that permit the switch to take
appropriate actions toward end devices awaiting authentication or reauthentication.
Chapter 83: Configuring Access Control
2615