Juniper JUNOS OS 10.4 - FOR EX REV 1 Manual page 2861

Related
Documentation
Understanding Dynamic VLANs for 802.1X on EX Series Switches
Related
Documentation
Understanding Guest VLANs for 802.1X on EX Series Switches
Copyright © 2010, Juniper Networks, Inc.
Server fail fallback is triggered most often during reauthentication when the already
configured and in-use RADIUS server becomes inaccessible. However, server fail fallback
can also be triggered by an end device's first attempt at authentication through the
RADIUS server.
Server fail fallback allows you to specify that an end device be moved to a specified
VLAN if the switch receives an EAPOL accept-reject message. The configured VLAN
name overrides any attributes sent by the server.
802.1X for EX Series Switches Overview on page 2751
Example: Configuring 802.1X Authentication Options When the RADIUS Server is
Unavailable to an EX Series Switch on page 2769
Example: Setting Up 802.1X for Single Supplicant or Multiple Supplicant Configurations
on an EX Series Switch on page 2788
Configuring Server Fail Fallback (CLI Procedure) on page 2835
Configuring 802.1X Interface Settings (CLI Procedure) on page 2829
Dynamic VLANs, in conjunction with the 802.1X authentication process, provide secure
access to the LAN for end devices belonging to different VLANs on a single port.
When this feature is configured on the RADIUS server, an end device or user authenticating
on the RADIUS server is assigned to the VLAN configured for it. The end device or user
becomes a member of a VLAN dynamically after successful 802.1X authentication. For
information on configuring dynamic VLANs on your RADIUS server, see the documentation
for your RADIUS server.
Successful authentication requires that the VLAN ID or VLAN name exist on the switch
and match the VLAN ID or VLAN name sent by the RADIUS server during authentication.
If neither exists, the end device is unauthenticated. If a guest VLAN is established, the
unauthenticated end device is automatically moved to the guest VLAN.
Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to
Corporate Visitors on an EX Series Switch on page 2774
Understanding Guest VLANs for 802.1X on EX Series Switches on page 2757
Guest VLANs, in conjunction with 802.1X, MAC RADIUS, and captive portal authentication,
provide secure access to the LAN for corporate guests and for end devices that fail the
authentication process.
When a corporate visitor attempts to authenticate on the LAN and authentication fails,
the visitor is moved to a guest VLAN. A guest VLAN typically provides access only to the
Internet.
Chapter 87: 802.1X and MAC RADIUS Authentication Overview
2757