Understanding Dynamic Vlans For 802.1X On Ex Series Switches; Understanding Guest Vlans For 802.1X On Ex Series Switches - Juniper JUNOS OS 10.4 - FOR EX REV 1 Manual

Complete Software Guide for Junos
Related
Documentation
Understanding Server Fail Fallback and Authentication on EX Series Switches
2756
®
OS for EX Series Ethernet Switches, Release 10.4
NOTE: If an end device is authenticated on the interface using captive
portal, this becomes the active authentication method on the interface.
When captive portal is the active authentication method, the switch falls
back to 802.1X authentication if there are no sessions in the authenticated
state and if the interface receives an EAP packet.
The switch checks whether there is a guest VLAN configured on the switch. If a guest
8.
VLAN is configured, the switch allows the end device limited access to the LAN.
Configuring Server Fail Fallback (CLI Procedure) on page 2835
Understanding Server Fail Fallback and Authentication on EX Series Switches on
page 2756
Understanding Guest VLANs for 802.1X on EX Series Switches on page 2757
Understanding Authentication on EX Series Switches on page 2746
Understanding Dynamic VLANs for 802.1X on EX Series Switches on page 2757
Server fail fallback allows you to specify how end devices connected to the switch are
supported if the RADIUS authentication server becomes unavailable or sends an Extensible
Authentication Protocol Over LAN (EAPOL) access-reject message.
Juniper Networks EX Series Ethernet Switches use authentication to implement access
control in an enterprise network. If 802.1X, MAC RADIUS, or captive portal authentication
are configured on the interface, end devices are evaluated at the initial connection by an
authentication (RADIUS) server. If the end device is configured on the authentication
server, the device is granted access to the LAN and the EX Series switch opens the
interface to permit access.
A RADIUS server timeout occurs if no RADIUS authentication servers are reachable when
an end device logs in and attempts to access the LAN. Server fail fallback allows you to
specify one of four actions to be taken toward end devices awaiting authentication when
the server is timed out:
Permit authentication, allowing traffic to flow from the end device through the interface
as if the end device were successfully authenticated by the RADIUS server.
Deny authentication, preventing traffic from flowing from the end device through the
interface. This is the default.
Move the end device to a specified VLAN. (The VLAN must already exist on the switch.)
Sustain authenticated end devices that already have LAN access and deny
unauthenticated end devices. If the RADIUS servers time out during reauthentication,
previously authenticated end devices are reauthenticated and new users are denied
LAN access.
Copyright © 2010, Juniper Networks, Inc.