Ethernet 802.1X configuration – Juniper

In this topic, you will learn how to configure Juniper switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for wired Ethernet connections.

Important:

This guide gives general instructions for integrating Portnox Cloud with specific third-party devices. We try to provide useful examples for common models, but settings can differ between manufacturers, models, and environments. Because of this, we cannot guarantee these steps will work in every case. For questions or problems with RADIUS setup – which is an industry standard and not specific to Portnox – or with device-specific settings and troubleshooting, we recommend checking the device manufacturer’s documentation and contacting their support team. Portnox Support can help when possible, but detailed setup of third-party devices is usually best handled by the manufacturer. We also recommend updating your NAS device firmware to the latest version, as old firmware can cause issues.

Important:

All values in this configuration are examples. Make sure to adjust the configuration to your individual profile names, RADIUS server addresses, ports, and keys by replacing the values that are presented as underlined italics.

Juno OS

This is a general configuration template for Juniper switches with the Juno OS operating system.

Note:

For more information, see Juniper documentation for Juno OS and RADIUS configuration.

Add the Portnox Cloud RADIUS servers to the configuration.

[edit access]

set radius-server 20.119.69.248 port 10322 secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1

set radius-server 52.232.122.157 port 10476 secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt

Create a profile for RADIUS authentication and make RADIUS the first order among authentication methods.
Note:
In this example, we assumed that the profile that defines authentication is called portnox-auth.
```
[edit access]
```
```
set profile portnox-auth authentication-order radius
```
Create a profile for 802.1X or MAC RADIUS authentication with Portnox Cloud servers.
Note:
In this example, we assumed that the profile that defines servers is called portnox-servers.
```
[edit access profile portnox-servers]
```
```
set radius authentication-server 20.119.69.248 52.232.122.157
```

Specify the group of servers for authentication.

[edit]

set protocols dot1x authenticator portnox-auth portnox-servers

Configure the RADIUS server fail fallback, also known as critical auth VLAN.
Note:
If, for any reason, your NAS device is temporarily unable to connect to Portnox Cloud RADIUS servers, the client device attempting 802.1X authentication is assigned to this VLAN. This lets your network administrators maintain client connectivity to certain resources without compromising security in circumstances such as an Internet connection failure.
```
[edit protocols dot1x authenticator]
```
```
set interface ge-0/0/1 server-fail permit
```
With the permit setting, if the RADIUS server is unreachable, clients will be allowed access as if they were authenticated. Here are other options:
- use-cache: If the RADIUS server is unreachable, only previously authenticated clients will be allowed access, new clients will be denied access.
- vlan-name: If the RADIUS server is unreachable, clients will be allowed access but they will be moved to the vlan-name VLAN.
- deny: If the RADIUS server is unreachable, all clients will be denied access.

Juno OS Evolved

This is a general configuration template for Juniper switches with the Juno OS Evolved operating system.

Note:

For more information, see Juniper documentation for Juno OS Evolved and RADIUS configuration.

Set up authentication using Portnox Cloud RADIUS servers.

Portnox Cloud US RADIUS server:

[edit groups global system radius-server]

set 20.119.69.248

[edit groups global system radius-server 20.119.69.248]

set port 10322

set secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1

Portnox Cloud EU RADIUS server:

[edit groups global system radius-server]

set 52.232.122.157

[edit groups global system radius-server 52.232.122.157]

set port 10476

set secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt

Define the order of authentication methods.

[edit groups global system]

set authentication-order [ radius password ]

Enable RADIUS accounting.

[edit]

set system accounting destination radius

Set up accounting using Portnox Cloud RADIUS servers.

Portnox Cloud US RADIUS server:

[edit system accounting destination radius]

set 20.119.69.248

[edit system accounting destination radius server 20.119.69.248]

set accounting-port 10323

set secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1

Portnox Cloud EU RADIUS server:

[edit system accounting destination radius]

set 52.232.122.157

[edit system accounting destination radius server 52.232.122.157]

set accounting-port 10477

set secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt

Enable 802.1X on the ports.

[edit interfaces]

set interfaces ge-0/0/1.0 family ethernet-switching interface-mode access

[edit protocols dot1x authenticator]

set protocols dot1x authenticator interface ge-0/0/1.0 supplicant multiple-supplicant

set protocols dot1x authenticator interface ge-0/0/1.0 radius-authentication-server 20.119.69.248

set protocols dot1x authenticator interface ge-0/0/1.0 radius-authentication-server 52.232.122.157

Juniper EX3200

This is a configuration template for Juniper EX3200 switches.

Add the Portnox Cloud US RADIUS server.

edit access radius-server 20.119.69.248

set port 10322 accounting-port 10323 secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1

Add the Portnox Cloud EU RADIUS server.

edit access radius-server 52.232.122.157

set port 10476 accounting-port 10477 secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt

Enable 802.1X on the ports.
```
edit protocols
```
```
set dot1x authenticator interface ge-0/0/1 mac-radius
```
```
set dot1x authenticator interface ge-0/0/1 supplicant single
```
Note:
In this example, we used the setting mac-radius, which allows MAB authentication on the interface, and the setting supplicant single, which authenticates the first supplicant on the interface (does not let multiple devices authenticate using the same port, e.g., through a hub). Adjust these and other options as required for your environment by consulting Juniper documentation.

Juniper EX2300

This is a configuration template for Juniper EX2300 switches.

Note:

This configuration was tested on JUNOS 21.4R3-S5.4 Kernel 32-bit

Add the Portnox Cloud US RADIUS server.

set access radius-server 20.119.69.248 port 10322 secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1

set access radius-server 20.119.69.248 accounting-port 10323 secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1

set access radius-server 20.119.69.248 source-address 10.0.0.1

Add the Portnox Cloud EU RADIUS server.

set access radius-server 52.232.122.157 port 10476 secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt

set access radius-server 52.232.122.157 accounting-port 10477 secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt

set access radius-server 52.232.122.157 source-address 10.0.0.1

Create a profile for RADIUS authentication and make RADIUS the first order among authentication methods.

set access profile PORTNOX authentication-order radius

set access profile PORTNOX radius authentication-server 20.119.69.248

set access profile PORTNOX radius authentication-server 52.232.122.157

Configure the interfaces.
```
set protocols dot1x authenticator interface ge-0/0/1.0 supplicant multiple
```
```
set protocols dot1x authenticator interface ge-0/0/1.0 mac-radius
```
```
set protocols dot1x authenticator interface ge-0/0/1.0 server-fail permit
```
Note:
In this example, we used the setting mac-radius, which allows MAB authentication on the interface, and the setting supplicant multiple, which allows multiple devices to authenticate using the same port, e.g., through a hub. Adjust these and other options as required for your environment by consulting Juniper documentation.