Ethernet 802.1X configuration – Juniper

In this topic, you will learn how to configure Juniper switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for wired Ethernet connections.

Warning: This topic contains documentation prepared by our support agents more than 12 months ago. It may not cover the newest models or the newest interfaces of NAS devices. We’re working on bringing you updated documentation for NAS devices in the near future. However, the methods of setting up third-party devices may still change when the manufacturers update their firmware or release new models. Therefore, to get the most accurate and current configuration guidance, we strongly recommend that you refer to the documentation provided by the manufacturer. If you need help setting up newer equipment that does not match the description in this topic, contact us at support@portnox.com.
Important: All values in this configuration are examples. Make sure to adjust the configuration to your individual profile names, RADIUS server addresses, ports, and keys by replacing the values that are presented as underlined italics.

Juno OS

This is a general configuration template for Juniper switches with the Juno OS operating system.

  1. Add the Portnox Cloud RADIUS servers to the configuration.
    [edit access]
    set radius-server 20.119.69.248 port 10322 secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
    set radius-server 52.232.122.157 port 10476 secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  2. Create a profile for RADIUS authentication and make RADIUS the first order among authentication methods.
    Note: In this example, we assumed that the profile that defines authentication is called portnox-auth.
    [edit access]
    set profile portnox-auth authentication-order radius
  3. Create a profile for 802.1X or MAC RADIUS authentication with Portnox Cloud servers.
    Note: In this example, we assumed that the profile that defines servers is called portnox-servers.
    [edit access profile portnox-servers]
    set radius authentication-server 20.119.69.248 52.232.122.157
  4. Specify the group of servers for authentication.
    [edit]
    set protocols dot1x authenticator portnox-auth portnox-servers
  5. Configure the RADIUS server fail fallback, also known as critical auth VLAN.
    Note: If, for any reason, your NAS device is temporarily unable to connect to Portnox Cloud RADIUS servers, the client device attempting 802.1X authentication is assigned to this VLAN. This lets your network administrators maintain client connectivity to certain resources without compromising security in circumstances such as an Internet connection failure.
    [edit protocols dot1x authenticator]
    set interface ge-0/0/1 server-fail permit

    With the permit setting, if the RADIUS server is unreachable, clients will be allowed access as if they were authenticated. Here are other options:

    • use-cache: If the RADIUS server is unreachable, only previously authenticated clients will be allowed access, new clients will be denied access.
    • vlan-name: If the RADIUS server is unreachable, clients will be allowed access but they will be moved to the vlan-name VLAN.
    • deny: If the RADIUS server is unreachable, all clients will be denied access.

Juno OS Evolved

This is a general configuration template for Juniper switches with the Juno OS Evolved operating system.

  1. Set up authentication using Portnox Cloud RADIUS servers.

    Portnox Cloud US RADIUS server:

    [edit groups global system radius-server]
    set 20.119.69.248
    [edit groups global system radius-server 20.119.69.248]
    set port 10322
    set secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1

    Portnox Cloud EU RADIUS server:

    [edit groups global system radius-server]
    set 52.232.122.157
    [edit groups global system radius-server 52.232.122.157]
    set port 10476
    set secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  2. Define the order of authentication methods.
    [edit groups global system]
    set authentication-order [ radius password ]
  3. Enable RADIUS accounting.
    [edit]
    set system accounting destination radius
  4. Set up accounting using Portnox Cloud RADIUS servers.

    Portnox Cloud US RADIUS server:

    [edit system accounting destination radius]
    set 20.119.69.248
    [edit system accounting destination radius server 20.119.69.248]
    set accounting-port 10323
    set secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1

    Portnox Cloud EU RADIUS server:

    [edit system accounting destination radius]
    set 52.232.122.157
    [edit system accounting destination radius server 52.232.122.157]
    set accounting-port 10477
    set secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  5. Enable 802.1X on the ports.
    [edit interfaces]
    set interfaces ge-0/0/1.0 family ethernet-switching interface-mode access
    [edit protocols dot1x authenticator]
    set protocols dot1x authenticator interface ge-0/0/1.0 supplicant multiple-supplicant
    set protocols dot1x authenticator interface ge-0/0/1.0 radius-authentication-server 20.119.69.248
    set protocols dot1x authenticator interface ge-0/0/1.0 radius-authentication-server 52.232.122.157

Juniper EX3200

This is a configuration template for Juniper EX3200 switches.

  1. Add the Portnox Cloud US RADIUS server.
    edit access radius-server 20.119.69.248
    set port 10322 accounting-port 10323 secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
  2. Add the Portnox Cloud EU RADIUS server.
    edit access radius-server 52.232.122.157
    set port 10476 accounting-port 10477 secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  3. Enable 802.1X on the ports.
    edit protocols
    set dot1x authenticator interface ge-0/0/1 mac-radius
    set dot1x authenticator interface ge-0/0/1 supplicant single
    Note: In this example, we used the setting mac-radius, which allows MAB authentication on the interface, and the setting supplicant single, which authenticates the first supplicant on the interface (does not let multiple devices authenticate using the same port, e.g., through a hub). Adjust these and other options as required for your environment by consulting Juniper documentation.