Ethernet 802.1X configuration – Juniper
In this topic, you will learn how to configure Juniper switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.
Warning: This topic contains documentation prepared by our support agents more than 12 months ago. It
may not cover the newest models or the newest interfaces of NAS devices. We’re working on bringing you updated documentation
for NAS devices in the near future. However, the methods of setting up third-party devices may still change when the
manufacturers update their firmware or release new models. Therefore, to get the most accurate and current configuration
guidance, we strongly recommend that you refer to the documentation provided by the manufacturer. If you need help setting
up newer equipment that does not match the description in this topic, contact us at
support@portnox.com.
Important: All values in this configuration are examples. Make sure to adjust the configuration to your individual
profile names, RADIUS server addresses, ports, and keys by replacing the values that are presented as underlined
italics.
Juno OS
This is a general configuration template for Juniper switches with the Juno OS operating system.
Note: For more information, see Juniper documentation for Juno OS and RADIUS configuration.
-
Add the Portnox Cloud RADIUS servers to the configuration.
[edit access]
set radius-server 20.119.69.248 port 10322 secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1set radius-server 52.232.122.157 port 10476 secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt -
Create a profile for RADIUS authentication and make RADIUS the first order among authentication methods.
Note: In this example, we assumed that the profile that defines authentication is called portnox-auth.
[edit access]
set profile portnox-auth authentication-order radius -
Create a profile for 802.1X or MAC RADIUS authentication with Portnox Cloud servers.
Note: In this example, we assumed that the profile that defines servers is called portnox-servers.
[edit access profile portnox-servers]
set radius authentication-server 20.119.69.248 52.232.122.157 -
Specify the group of servers for authentication.
[edit]
set protocols dot1x authenticator portnox-auth portnox-servers -
Configure the RADIUS server fail fallback, also known as critical auth VLAN.
Note: If, for any reason, your NAS device is temporarily unable to connect to Portnox Cloud RADIUS servers, the client device attempting 802.1X authentication is assigned to this VLAN. This lets your network administrators maintain client connectivity to certain resources without compromising security in circumstances such as an Internet connection failure.
[edit protocols dot1x authenticator]
set interface ge-0/0/1 server-fail permitWith the permit setting, if the RADIUS server is unreachable, clients will be allowed access as if they were authenticated. Here are other options:
- use-cache: If the RADIUS server is unreachable, only previously authenticated clients will be allowed access, new clients will be denied access.
- vlan-name: If the RADIUS server is unreachable, clients will be allowed access but they will be moved to the vlan-name VLAN.
- deny: If the RADIUS server is unreachable, all clients will be denied access.
Juno OS Evolved
This is a general configuration template for Juniper switches with the Juno OS Evolved operating system.
Note: For more information, see Juniper documentation for Juno OS Evolved and RADIUS configuration.
-
Set up authentication using Portnox Cloud RADIUS servers.
Portnox Cloud US RADIUS server:
[edit groups global system radius-server]
set 20.119.69.248[edit groups global system radius-server 20.119.69.248]
set port 10322set secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1Portnox Cloud EU RADIUS server:
[edit groups global system radius-server]
set 52.232.122.157[edit groups global system radius-server 52.232.122.157]
set port 10476set secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt -
Define the order of authentication methods.
[edit groups global system]
set authentication-order [ radius password ] -
Enable RADIUS accounting.
[edit]
set system accounting destination radius -
Set up accounting using Portnox Cloud RADIUS servers.
Portnox Cloud US RADIUS server:
[edit system accounting destination radius]
set 20.119.69.248[edit system accounting destination radius server 20.119.69.248]
set accounting-port 10323set secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1Portnox Cloud EU RADIUS server:
[edit system accounting destination radius]
set 52.232.122.157[edit system accounting destination radius server 52.232.122.157]
set accounting-port 10477set secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt -
Enable 802.1X on the ports.
[edit interfaces]
set interfaces ge-0/0/1.0 family ethernet-switching interface-mode access[edit protocols dot1x authenticator]
set protocols dot1x authenticator interface ge-0/0/1.0 supplicant multiple-supplicantset protocols dot1x authenticator interface ge-0/0/1.0 radius-authentication-server 20.119.69.248set protocols dot1x authenticator interface ge-0/0/1.0 radius-authentication-server 52.232.122.157
Juniper EX3200
This is a configuration template for Juniper EX3200 switches.
-
Add the Portnox Cloud US RADIUS server.
edit access radius-server 20.119.69.248set port 10322 accounting-port 10323 secret rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1 -
Add the Portnox Cloud EU RADIUS server.
edit access radius-server 52.232.122.157set port 10476 accounting-port 10477 secret fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt -
Enable 802.1X on the ports.
edit protocolsset dot1x authenticator interface ge-0/0/1 mac-radiusset dot1x authenticator interface ge-0/0/1 supplicant singleNote: In this example, we used the setting mac-radius, which allows MAB authentication on the interface, and the setting supplicant single, which authenticates the first supplicant on the interface (does not let multiple devices authenticate using the same port, e.g., through a hub). Adjust these and other options as required for your environment by consulting Juniper documentation.