9.2.3.13. Juniper
9.2.3.13.1. EX4200-48PX
Firmware: Junos OS Release 15.1R5.5
Administration Portal > ON CMDB > Network Devices Brand/Model: Juniper/EX4200
9.2.3.13.1.1. Basic Configuration
Basic interface configuration
root# set interfaces <interface> <enable|disable>
root# set interfaces <interface> unit <unit-number> family <ccc|inet|inet6|iso|mpls|ethernet-switching>
root# set interfaces <interface> unit <unit-number> family ethernet-switching port-mode <access|tagged-access|trunk>
VLAN configuration
root# set vlans <vlan_name> vlan-id <vlan_id>
root# edit interfaces
root# set <interface> unit <unit_number> family <family_type> vlan members <vlan_name>
root# set <interface> unit <unit_number> family <family_type> port-mode <access|tagged-access|trunk>
9.2.3.13.1.2. RAIDIUS Global Configuration
To use 802.1X or MAC authentication, you must specify the connections on the switch for each RADIUS server to which you will connect. Define the RADIUS servers to be used for authentications and their format:
root# edit access
root# set radius-server <Radius_Server_IP> port 1812 accounting-port 1813 secret Radius_Shared_Key>
root# set radius-server <Radius_Server_IP> timeout <timeInSecodns> retry <retryAttempts>
root# set profile openNAC authentication-order <(none | ldap | password | radius | s6a | secureid)]>
root# set profile openNAC radius authentication-server <server-ip> accounting-server <server-ip>
8021X
root# edit protocols dot1x
root# set authenticator interface <interface-name> supplicant multiple
root# set authenticator interface <interface-name> reauthentication interval <seconds>
root# set authenticator interface <interface-name> supplicant-timeout <seconds>
root# set authenticator interface <interface-name> server-timeout <seconds>
root# set authenticator interface <interface-name> transmit-period <seconds>
root# set authenticator interface <interface-name> maximum-requests <number>
root# set authenticator interface <interface-name> retries <number>
root# set authentication-order [ dot1x | mac-radius ]
MAC Authentication
root# edit protocols
root# set dot1x authenticator interface <interface> mac-radius authentication-protocol pap
root# set dot1x authenticator interface <interface> mac-radius restrict
9.2.3.13.1.3. Dot1x Features
Default VLAN
The default VLAN will be the one that will be assigned in case of defining the default VLAN in the OpenNAC Enterprise policy. The default VLAN is called Native VLAN in EX Series switches. Untagged packets on a trunk/tagged-access interface belong to this VLAN.
root# edit interfaces
root# set <interface> unit <unit-number> family ethernet-switching native-vlan-id <id>
Critical VLAN
The critical VLAN will be the one in which the connections will be established in case the RADIUS servers are not available for authorization. The 802.1X critical VLAN on a port accommodates 802.1X users that have failed authentication because none of the RADIUS servers in their domain are reachable.
root# edit protocols dot1x authenticator
root# set interface <interface-name> server-fail vlan-name <vlam-name>
We can also assign a VLAN name for authentication rejected clients. The VLAN specified must already exist on the switch.
root# edit protocols dot1x authenticator
root# set interface <interface-name> server-reject-vlan <vlam-name>
Guest VLAN
Configure a VLAN for unauthenticated or non-responsive hosts.
root# edit protocols dot1x authenticator
root# set interface <interface-name> guest-vlan <vlam-name>
Voice VLAN
When VoIP is used with 802.1X, the RADIUS server authenticates the phone, and Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED) provides the class-of-service (CoS) parameters to the phone.
Configure VoIP on the interface and specify the assured-forwarding forwarding class to provide the most dependable class of service:
root# set vlans <voice-vlan-name> vlan-id <id>
root# edit ethernet-switching-options
root# set voip interface <interface-name> vlan voice-vlan-name
root# set voip interface <interface-name> forwarding-class assured-forwarding
Configure LLDP-MED protocol support:
root# edit protocols
root# set lldp-med interface <interface-name>
To authenticate an IP phone and a PC connected to the IP phone on the interface, configure 802.1X authentication support and specify multiple supplicant mode. Also, configure authentication fallback options to specify how VoIP clients sending voice traffic are supported if the RADIUS authentication server becomes unavailable.
root# set dot1x authenticator interface <interface-name> supplicant multiple
root# edit protocols dot1x authenticator
root# set interface <interface-name> server-fail-voip <vlam-name>
9.2.3.13.1.4. SNMP
We will configure the SNMP feature to enable the communication between the OpenNAC Core and the network device to extract information like version, port type, location, toggle port, etc. To perform the policy reevaluation through SNMP, it will be necessary to activate this functionality and define the keys of the reading and writing communities:
root# edit snmp
[edit snmp]
root# set community public view all authorization read-only
root# set community public view all authorization read-write
SNMP Traps
root# edit snmp
[edit snmp]
root# set trap-options source-address <source_address>
root# set trap-group <group_name>
root# targets <remote_server_ip>
9.2.3.13.1.5. Troubleshooting & Monitoring
Interface information
root> show interface detail
root> show interface brief
Display the current operational state of all ports with the list of connected users.
root> show dot1x interface <interface-name>detail
root> show dot1x interface <interface-name>brief
Display all the static MAC addresses of interfaces that are configured to bypass 802.1X authentication.
root> show dot1x static-mac-address interface <interface-name>
Display the supplicants (users) that have bypassed 802.1X authentication.
root> show dot1x authentication-bypassed-users
List users who have failed 802.1X authentication
root> show dot1x auth-failed-users
RADIUS log, to have clear information, we should first enter the configuration mode and execute:
root# run clear log radius
Then we can check the last registered radius logs
root> show log radius
DHCP information
root> show dhcp statistics
root> show dhcp server statistics
root> show dhcp relay statistics