Ethernet 802.1X configuration – Juniper

In this topic, you will learn how to configure Juniper switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for wired Ethernet connections.

Important:
This guide provides general instructions for integrating Portnox Cloud with specific third-party devices. While we aim to provide helpful examples for commonly used models, configurations may vary across manufacturers, models, and environments. As a result, we cannot guarantee that these steps will work in every scenario. For questions or issues related to RADIUS setup – which is an industry standard and not specific to Portnox – or device-specific settings and troubleshooting, we recommend consulting the device manufacturer’s documentation and contacting their support team. While Portnox Support is happy to assist where possible, please note that detailed configuration of third-party devices is typically best handled by the manufacturer.
Important:
All values in this configuration are examples. Make sure to adjust the configuration to your individual profile names, RADIUS server addresses, ports, and keys by replacing the values that are presented as underlined italics.

Juno OS

This is a general configuration template for Juniper switches with the Juno OS operating system.

Note:
For more information, see Juniper documentation for Juno OS and RADIUS configuration.
  1. Add the Portnox Cloud RADIUS servers to the configuration. 
    [edit access]
    set radius-server 20.119.69.248 port 10322 secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
    set radius-server 52.232.122.157 port 10476 secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  2. Create a profile for RADIUS authentication and make RADIUS the first order among authentication methods.
    Note:
    In this example, we assumed that the profile that defines authentication is called portnox-auth.
    [edit access]
    set profile portnox-auth authentication-order radius
  3. Create a profile for 802.1X or MAC RADIUS authentication with Portnox Cloud servers.
    Note:
    In this example, we assumed that the profile that defines servers is called portnox-servers.
    [edit access profile portnox-servers]
    set radius authentication-server 20.119.69.248 52.232.122.157
  4. Specify the group of servers for authentication. 
    [edit]
    set protocols dot1x authenticator portnox-auth portnox-servers
  5. Configure the RADIUS server fail fallback, also known as critical auth VLAN.
    Note:
    If, for any reason, your NAS device is temporarily unable to connect to Portnox Cloud RADIUS servers, the client device attempting 802.1X authentication is assigned to this VLAN. This lets your network administrators maintain client connectivity to certain resources without compromising security in circumstances such as an Internet connection failure.
    [edit protocols dot1x authenticator]
    set interface ge-0/0/1 server-fail permit

    With the permit setting, if the RADIUS server is unreachable, clients will be allowed access as if they were authenticated. Here are other options:

    • use-cache: If the RADIUS server is unreachable, only previously authenticated clients will be allowed access, new clients will be denied access.
    • vlan-name: If the RADIUS server is unreachable, clients will be allowed access but they will be moved to the vlan-name VLAN.
    • deny: If the RADIUS server is unreachable, all clients will be denied access.

Juno OS Evolved

This is a general configuration template for Juniper switches with the Juno OS Evolved operating system.

Note:
For more information, see Juniper documentation for Juno OS Evolved and RADIUS configuration.
  1. Set up authentication using Portnox Cloud RADIUS servers.

    Portnox Cloud US RADIUS server:

    [edit groups global system radius-server]
    set 20.119.69.248
    [edit groups global system radius-server 20.119.69.248]
    set port 10322
    set secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1

    Portnox Cloud EU RADIUS server:

    [edit groups global system radius-server]
    set 52.232.122.157
    [edit groups global system radius-server 52.232.122.157]
    set port 10476
    set secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  2. Define the order of authentication methods. 
    [edit groups global system]
    set authentication-order [ radius password ]
  3. Enable RADIUS accounting. 
    [edit]
    set system accounting destination radius
  4. Set up accounting using Portnox Cloud RADIUS servers.

    Portnox Cloud US RADIUS server:

    [edit system accounting destination radius]
    set 20.119.69.248
    [edit system accounting destination radius server 20.119.69.248]
    set accounting-port 10323
    set secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1

    Portnox Cloud EU RADIUS server:

    [edit system accounting destination radius]
    set 52.232.122.157
    [edit system accounting destination radius server 52.232.122.157]
    set accounting-port 10477
    set secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  5. Enable 802.1X on the ports. 
    [edit interfaces]
    set interfaces ge-0/0/1.0 family ethernet-switching interface-mode access
    [edit protocols dot1x authenticator]
    set protocols dot1x authenticator interface ge-0/0/1.0 supplicant multiple-supplicant
    set protocols dot1x authenticator interface ge-0/0/1.0 radius-authentication-server 20.119.69.248
    set protocols dot1x authenticator interface ge-0/0/1.0 radius-authentication-server 52.232.122.157

Juniper EX3200

This is a configuration template for Juniper EX3200 switches.

  1. Add the Portnox Cloud US RADIUS server. 
    edit access radius-server 20.119.69.248
    set port 10322 accounting-port 10323 secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
  2. Add the Portnox Cloud EU RADIUS server. 
    edit access radius-server 52.232.122.157
    set port 10476 accounting-port 10477 secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  3. Enable 802.1X on the ports. 
    edit protocols
    set dot1x authenticator interface ge-0/0/1 mac-radius
    set dot1x authenticator interface ge-0/0/1 supplicant single
    Note:
    In this example, we used the setting mac-radius, which allows MAB authentication on the interface, and the setting supplicant single, which authenticates the first supplicant on the interface (does not let multiple devices authenticate using the same port, e.g., through a hub). Adjust these and other options as required for your environment by consulting Juniper documentation.

Juniper EX2300

This is a configuration template for Juniper EX2300 switches.

Note:
This configuration was tested on JUNOS 21.4R3-S5.4 Kernel 32-bit
  1. Add the Portnox Cloud US RADIUS server. 
    set access radius-server 20.119.69.248 port 10322 secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
    set access radius-server 20.119.69.248 accounting-port 10323 secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
    set access radius-server 20.119.69.248 source-address 10.0.0.1
  2. Add the Portnox Cloud EU RADIUS server. 
    set access radius-server 52.232.122.157 port 10476 secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
    set access radius-server 52.232.122.157 accounting-port 10477 secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
    set access radius-server 52.232.122.157 source-address 10.0.0.1
  3. Create a profile for RADIUS authentication and make RADIUS the first order among authentication methods. 
    set access profile PORTNOX authentication-order radius
    set access profile PORTNOX radius authentication-server 20.119.69.248
    set access profile PORTNOX radius authentication-server 52.232.122.157
  4. Configure the interfaces. 
    set protocols dot1x authenticator interface ge-0/0/1.0 supplicant multiple
    set protocols dot1x authenticator interface ge-0/0/1.0 mac-radius
    set protocols dot1x authenticator interface ge-0/0/1.0 server-fail permit
    Note:
    In this example, we used the setting mac-radius, which allows MAB authentication on the interface, and the setting supplicant multiple, which allows multiple devices to authenticate using the same port, e.g., through a hub. Adjust these and other options as required for your environment by consulting Juniper documentation.