How 802.1X Authentication Works - Juniper JUNOS OS 10.4 - FOR EX REV 1 Manual

Related
Documentation
802.1X for EX Series Switches Overview

How 802.1X Authentication Works

Copyright © 2010, Juniper Networks, Inc.
through 802.1X authentication. If the end device does not respond to the EAP requests,
the switch checks whether MAC RADIUS authentication is configured on the interface.
MAC RADIUS authentication—If MAC RADIUS authentication is configured on the
2.
interface, the switch sends the MAC RADIUS address of the end device to the
authentication server. If MAC RADIUS authentication is not configured, the switch
checks whether captive portal is configured on the interface.
Captive portal authentication—If captive portal is configured on the interface, the
3.
switch attempts to authenticate using this method after attempting any other
configured authentication methods. If an end device is authenticated on the interface
using captive portal, this becomes the active authentication method on the interface.
When captive portal is the active authentication method, the switch falls back to
802.1X authentication if there are no sessions in the authenticated state and if the
interface receives an EAP packet.
802.1X for EX Series Switches Overview on page 2751
Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations
on an EX Series Switch on page 2788
Configuring 802.1X Interface Settings (CLI Procedure) on page 2829
Configuring MAC RADIUS Authentication (CLI Procedure) on page 2833
Configuring MAC RADIUS Authentication (CLI Procedure) on page 2833
Configuring Captive Portal Authentication (CLI Procedure) on page 2848
Configuring Static MAC Bypass of Authentication (CLI Procedure) on page 2832
Authentication Process Flow for EX Series Switches on page 2753
IEEE 802.1X provides network edge security, protecting Ethernet LANs from unauthorized
user access.
802.1X authentication works by using an Authenticator Port Access Entity (the switch) to
block all traffic to and from a supplicant (end device) at the port until the supplicant's
credentials are presented and matched on the Authentication server (a RADIUS server).
When authenticated, the switch stops blocking traffic and opens the port to the supplicant.
The end device is authenticated in either single mode, single-secure mode, or multiple
mode:
—Authenticates only the first end device. All other end devices that connect later
single
to the port are allowed full access without any further authentication. They effectively
"piggyback" on the end devices' authentication.
single-secure —Allows only one end device to connect to the port. No other end device
is allowed to connect until the first logs out.
Chapter 87: 802.1X and MAC RADIUS Authentication Overview
2751