Juniper JUNOS OS 10.4 - FOR EX REV 1 Manual page 2874

Complete Software Guide for Junos
Requirements
Overview and Topology
2770
®
OS for EX Series Ethernet Switches, Release 10.4
You use 802.1X to control network access. Only users and devices (supplicants) providing
credentials that have been verified against a user database are allowed access to the
network. You use a RADIUS server as the user database.
This example describes how to configure an interface to move a supplicant to a VLAN
in the event of a RADIUS server timeout:
Requirements on page 2770
Overview and Topology on page 2770
Configuration on page 2772
Verification on page 2773
This example uses the following hardware and software components:
Junos OS Release 9.3 or later for EX Series switches
One EX Series switch acting as an authenticator port access entity (PAE). The ports
on the authenticator PAE form a control gate that blocks all traffic to and from
supplicants until they are authenticated.
One RADIUS authentication server that supports 802.1X. The authentication server
acts as the backend database and contains credential information for hosts
(supplicants) that have permission to connect to the network.
Before you connect the server to the switch, be sure you have:
Performed basic bridging and VLAN configuration on the switch. See "Example: Setting
Up Basic Bridging and a VLAN for an EX Series Switch" on page 1525.
Set up a connection between the switch and the RADIUS server. See "Example:
Connecting a RADIUS Server for 802.1X to an EX Series Switch" on page 2765.
Disable firewall filters on the interface. Firewall filters interfere with server fail fallback
operation.
Configured users on the authentication server.
A RADIUS server timeout occurs if no authentication RADIUS servers are reachable when
a supplicant logs in and attempts to access the LAN. Using server fail fallback, configure
alternative options for supplicants attempting LAN access. You can configure the switch
to accept or deny access to supplicants or to maintain the access already granted towards
supplicants before the RADIUS server timeout. Additionally, you can configure the switch
to move supplicants to a specific VLAN if a RADIUS timeout occurs or if the RADIUS
server sends an EAP Access-Reject message. Figure 59 on page 2771 shows the topology
used for this example. The RADIUS server is connected to the EX4200 switch on access
port ge-0/0/10 . The switch acts as the authenticator Port Access Entity (PAE) and
forwards credentials from the supplicant to the user database on the RADIUS server.
The switch blocks all traffic and acts as a control gate until the supplicant is authenticated
Copyright © 2010, Juniper Networks, Inc.