Complete Software Guide for Junos
802.1X Authentication
MAC RADIUS Authentication
2748
®
OS for EX Series Ethernet Switches, Release 10.4
802.1X is an IEEE standard for port-based network access control (PNAC). It provides
an authentication mechanism to allow devices to access a LAN. The 802.1X authentication
feature on an EX Series switch is based upon the IEEE 802.1D standard Port-Based
Network Access Control.
The communication protocol between the end device and the switch is Extensible
Authentication Protocol Over LAN (EAPOL). EAPOL is a version of EAP designed to work
with Ethernet networks. The communication protocol between the authentication server
and the switch is RADIUS.
During the authentication process, the switch completes multiple message exchanges
between the end device and the authentication server. While 802.1X authentication is in
process, only 802.1X traffic is allowed. Other traffic, such as DHCP and HTTP, is blocked
at the data link layer.
NOTE: You can configure both the maximum number of times an EAPOL
request packet is retransmitted and the timeout period between attempts.
For information, see "Configuring 802.1X Interface Settings (CLI Procedure)"
on page 2829.
An 802.1X authentication configuration for a LAN contains three basic components:
Supplicant (also called end device)—Supplicant is the IEEE term for an end device that
requests to join the network. The end device can be responsive or nonresponsive. A
responsive end device is 802.1X-enabled and provides authentication
credentials—specifically, a username and password for EAP MD5 or a username and
client certificates for EAP-TLS, EAP-TTLS, and EAP-PEAP. A nonresponsive end device
is not 802.1X-enabled, but it can be authenticated through MAC RADIUS authentication.
Authenticator port access entity—The IEEE term for the authenticator. The EX Series
switch is the authenticator, and it controls access by blocking all traffic to and from
end devices until they are authenticated.
Authentication server—The authentication server contains the backend database that
makes authentication decisions. It contains credential information for each end device
that is allowed to connect to the network. The authenticator forwards credentials
supplied by the end device to the authentication server. If the credentials forwarded
by the authenticator match the credentials in the authentication server database,
access is granted. If the credentials forwarded do not match, access is denied. The
EX Series switches support RADIUS authentication servers.
You can configure MAC RADIUS authentication on interfaces that are connected to end
devices that are not 802.1X-enabled but that you want to allow to access the LAN.
The EAP method supported for MAC RADIUS authentication on EX Series switches is
EAP-MD5.
Copyright © 2010, Juniper Networks, Inc.