Table of Contents
Advertisement
Complete Software Guide for Junos
Static MAC Bypass of Authentication
Fallback of Authentication Methods
2750
®
OS for EX Series Ethernet Switches, Release 10.4
Captive portal on EX Series switches has the following limitations:
The captive portal interface must be configured for
to port mode
access
.
Captive portal does not support dynamic assignment of VLANs downloaded from the
RADIUS server.
If the user is idle for more than about 5 minutes and there is no traffic passed, the user
must log back in to the captive portal.
You can allow end devices to access the LAN without authentication on a RADIUS server
by including their MAC addresses in the static MAC bypass list (also known as the
exclusion list).
You might choose to include a device in the bypass list to:
Allow non-802.1X-enabled devices access to the LAN.
Eliminate the delay that occurs while the switch determines that a connected device
is a non-802.1X-enabled host.
When you configure static MAC on the switch, the MAC address of the end device is first
checked in a local database (a user-configured list of MAC addresses). If a match is
found, the end device is successfully authenticated and the interface is opened up for it.
No further authentication is done for that end device. If a match is not found and 802.1X
authentication is enabled on the switch, the switch attempts to authenticate the end
device through the RADIUS server.
For each MAC address, you can also configure the VLAN to which the end device is moved
or the interfaces on which the host connects.
You can configure multiple authentication methods on a single interface to enable fallback
to another method if one method fails.
If an interface is configured in multiple supplicant mode, all end devices connecting
through the interface must use either captive portal or a combination of 802.1X and MAC
RADIUS, captive portal cannot be mixed with 802.1X or MAC RADIUS. Therefore, if there
is already an end device on the interface that was authenticated through 802.1X or MAC
RADIUS authentication, then additional end devices authenticating do not fall back to
captive portal. If only 802.1X authentication or MAC RADIUS authentication is configured,
some end devices can be authenticated using 802.1X and others can still be authenticated
using MAC RADIUS.
Fallback of authentication methods occurs in the following order:
802.1X authentication—If 802.1X is configured on the interface, the switch sends
1.
EAPOL requests to the end device and attempts to authenticate the end device
and set
family ethernet-switching
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Chapters
Table of Contents
Troubleshooting
