Juniper JUNOS OS 10.4 - FOR EX REV 1 Manual page 2859

Copyright © 2010, Juniper Networks, Inc.
NOTE: You can configure both the maximum number of times an
EAPOL request packet is retransmitted and the timeout period between
attempts. See "Configuring 802.1X Interface Settings (CLI Procedure)"
on page 2829.
If the end device does not respond to the EAP messages sent by the switch, the
d.
switch checks for MAC RADIUS configuration—skip to Step 4. If it does respond,
go on to step 5.
When an EAP request is received from the end device, the switch sends an
e.
authentication request message to the authentication server.
If the authentication server does not respond, the switch checks whether there is
a server fail VLAN configured. If there is a server fail VLAN, the switch performs the
configured server fail fallback operation. If there is no server fail VLAN, skip to Step
6.
The authentication server sends an access-accept or access-reject message. If
f.
the authentication server sends an access-reject message, skip to Step 8.
If the end device does not respond to the EAP messages, the switch checks whether
4.
MAC RADIUS authentication is configured on the interface. If it is not configured, skip
to Step 6.
If MAC RADIUS authentication is configured on the interface:
5.
The switch sends a MAC RADIUS authentication request to the authentication
a.
server. The switch sends only one such request.
If the authentication server does not respond, the switch checks whether there is
a server fail VLAN configured on the switch. If there is a server fail VLAN, the switch
performs the configured server fail fallback operation. If there is no server fail VLAN,
skip to Step 8.
The authentication server sends an access-accept or access-reject message. If
b.
the authentication server sends an access-reject message, go on to Step 6.
If MAC RADIUS authentication is not configured on the interface or if the authentication
6.
server responds with an access-reject message for MAC RADIUS authentication, the
switch checks whether captive portal is configured on the interface. If captive portal
is not configured on the interface, skip to Step 8.
If captive portal authentication is configured on the interface:
7.
The switch sends a request to the user on the end device for captive portal
a.
authentication information.
The switch sends the captive portal authentication information to the authentication
b.
server.
The authentication server sends an access-accept or access-reject message.
c.
If the server sends an access-reject message, go on to Step 8.
Chapter 87: 802.1X and MAC RADIUS Authentication Overview
2755