Ethernet 802.1X configuration – Juniper
In this topic, you will learn how to configure Juniper switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for wired Ethernet connections.
Juno OS
This is a general configuration template for Juniper switches with the Juno OS operating system.
-
Add the Portnox Cloud RADIUS servers to the configuration.
[edit access]
set radius-server 20.119.69.248 port 10322 secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
set radius-server 52.232.122.157 port 10476 secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
-
Create a profile for RADIUS authentication and make RADIUS the first order among authentication methods.
Note: In this example, we assumed that the profile that defines authentication is called portnox-auth.
[edit access]
set profile portnox-auth authentication-order radius
-
Create a profile for 802.1X or MAC RADIUS authentication with Portnox Cloud servers.
Note: In this example, we assumed that the profile that defines servers is called portnox-servers.
[edit access profile portnox-servers]
set radius authentication-server 20.119.69.248 52.232.122.157
-
Specify the group of servers for authentication.
[edit]
set protocols dot1x authenticator portnox-auth portnox-servers
-
Configure the RADIUS server fail fallback, also known as critical auth VLAN.
Note: If, for any reason, your NAS device is temporarily unable to connect to Portnox Cloud RADIUS servers, the client device attempting 802.1X authentication is assigned to this VLAN. This lets your network administrators maintain client connectivity to certain resources without compromising security in circumstances such as an Internet connection failure.
[edit protocols dot1x authenticator]
set interface ge-0/0/1 server-fail permit
With the permit setting, if the RADIUS server is unreachable, clients will be allowed access as if they were authenticated. Here are other options:
- use-cache: If the RADIUS server is unreachable, only previously authenticated clients will be allowed access, new clients will be denied access.
- vlan-name: If the RADIUS server is unreachable, clients will be allowed access but they will be moved to the vlan-name VLAN.
- deny: If the RADIUS server is unreachable, all clients will be denied access.
Juno OS Evolved
This is a general configuration template for Juniper switches with the Juno OS Evolved operating system.
-
Set up authentication using Portnox Cloud RADIUS servers.
Portnox Cloud US RADIUS server:
[edit groups global system radius-server]
set 20.119.69.248
[edit groups global system radius-server 20.119.69.248]
set port 10322
set secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
Portnox Cloud EU RADIUS server:
[edit groups global system radius-server]
set 52.232.122.157
[edit groups global system radius-server 52.232.122.157]
set port 10476
set secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
-
Define the order of authentication methods.
[edit groups global system]
set authentication-order [ radius password ]
-
Enable RADIUS accounting.
[edit]
set system accounting destination radius
-
Set up accounting using Portnox Cloud RADIUS servers.
Portnox Cloud US RADIUS server:
[edit system accounting destination radius]
set 20.119.69.248
[edit system accounting destination radius server 20.119.69.248]
set accounting-port 10323
set secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
Portnox Cloud EU RADIUS server:
[edit system accounting destination radius]
set 52.232.122.157
[edit system accounting destination radius server 52.232.122.157]
set accounting-port 10477
set secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
-
Enable 802.1X on the ports.
[edit interfaces]
set interfaces ge-0/0/1.0 family ethernet-switching interface-mode access
[edit protocols dot1x authenticator]
set protocols dot1x authenticator interface ge-0/0/1.0 supplicant multiple-supplicant
set protocols dot1x authenticator interface ge-0/0/1.0 radius-authentication-server 20.119.69.248
set protocols dot1x authenticator interface ge-0/0/1.0 radius-authentication-server 52.232.122.157
Juniper EX3200
This is a configuration template for Juniper EX3200 switches.
-
Add the Portnox Cloud US RADIUS server.
edit access radius-server 20.119.69.248
set port 10322 accounting-port 10323 secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
-
Add the Portnox Cloud EU RADIUS server.
edit access radius-server 52.232.122.157
set port 10476 accounting-port 10477 secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
-
Enable 802.1X on the ports.
edit protocols
set dot1x authenticator interface ge-0/0/1 mac-radius
set dot1x authenticator interface ge-0/0/1 supplicant single
Note: In this example, we used the setting mac-radius, which allows MAB authentication on the interface, and the setting supplicant single, which authenticates the first supplicant on the interface (does not let multiple devices authenticate using the same port, e.g., through a hub). Adjust these and other options as required for your environment by consulting Juniper documentation.