Specifying RADIUS Server Connections on an EX Series Switch (CLI Procedure)
IEEE 802.1X and MAC RADIUS authentication both provide network edge security,
protecting Ethernet LANs from unauthorized user access by blocking all traffic to and
from devices at the interface until the supplicant's credentials or MAC address are
presented and matched on the
authentication server
(a RADIUS server). When the
supplicant is authenticated, the switch stops blocking access and opens the interface
to the supplicant.
To use 802.1X or MAC RADIUS authentication, you must specify the connections on the
switch for each RADIUS server to which you will connect.
To configure a RADIUS server on the switch:
1.
Define the IP address of the RADIUS server, the RADIUS server authentication port
number, and the secret password. You can define more than one RADIUS server. The
secret password on the switch must match the secret password on the server:
[edit access]
user@switch#
set radius-server 10.0.0.100 port 1812 secret abc
NOTE:
Specifying the authentication port is optional, and port 1812 is the
default. However, we recommend that you configure it in order to avoid
confusion as some RADIUS servers might refer to an older default.
2.
(Optional) Specify the IP address by which the switch is identified by the RADIUS
server. If you do not specify this, the RADIUS server uses the address of the interface
sending the RADIUS request. We recommend that you specify this IP address because
if the request gets diverted on an alternate route to the RADIUS server, the interface
relaying the request might not be an interface on the switch.
[edit access]
user@switch#
set access radius-erver source-address 10.93.14.100
3.
Configure the authentication order, making
radius
the first method of authentication:
[edit access]
user@switch#
set profile profile1
authentication-order
radius
4.
Create a profile and specify the list of RADIUS servers to be associated with the profile.
For example, you might choose to group your RADIUS servers geographically by city.
This feature enables easy modification whenever you want to change to a different
sent of authentication servers.
[edit access profile]
user@switch#
set atlanta radius
authentication-server
10.0.0.100 10.2.14.200
5.
Specify the group of servers to be used for 802.1X or MAC RADIUS authentication by
identifying the profile name:
[edit access profile]
user@switch#
set protocols
dot1x
authenticator authentication-profile-name denver
Copyright © 2010, Juniper Networks, Inc.
2608
Complete Software Guide for Junos
®
OS for EX Series Ethernet Switches, Release 10.3
Summary of Contents for JUNOS OS 10.3 - SOFTWARE
Page 325: ...CHAPTER 17 Operational Mode Commands for System Setup 229 Copyright 2010 Juniper Networks Inc ...
Page 1323: ...CHAPTER 56 Operational Mode Commands for Interfaces 1227 Copyright 2010 Juniper Networks Inc ...
Page 2841: ...CHAPTER 86 Operational Commands for 802 1X 2745 Copyright 2010 Juniper Networks Inc ...
Page 3367: ...CHAPTER 113 Operational Mode Commands for CoS 3271 Copyright 2010 Juniper Networks Inc ...
Page 3435: ...CHAPTER 120 Operational Mode Commands for PoE 3339 Copyright 2010 Juniper Networks Inc ...
Page 3529: ...CHAPTER 126 Operational Mode Commands for MPLS 3433 Copyright 2010 Juniper Networks Inc ...