Understanding 802.1X Port-Based Network Authentication

 Note

From Junos
OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D75 and Junos OS
Release 17.3R1, IEEE 802.1X port-based network authentication is not
supported.

Note

Starting
in Junos OS 15.1X49-D80, 802.1X port-based authentication is supported
on SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 devices.

Both IEEE 802.1X authentication and MAC RADIUS authentication
both provide network edge security, protecting Ethernet LANs from
unauthorized user access by blocking all traffic to and from devices
at the interface until the supplicant’s credential or MAC address
is presented and matched on the authentication server (a RADIUS server). When the supplicant is authenticated, the switch
stops blocking access and opens the interface to the supplicant.

A LAN network configured for 802.1X authentication contains
three basic components:

• Supplicant—The IEEE term
  for a host that requests to join the network. The host can be responsive
  or nonresponsive. A responsive host is one on which 802.1X authentication
  is enabled and that provides authentication credentials (such as a
  user name and password). A nonresponsive host is one on which 802.1X
  authentication is not enabled.

• Authenticator port access entity—The IEEE term for the authenticator. The SRX Series device
  is the authenticator and controls access by blocking all traffic from
  host/supplicant until they are authenticated.

• Authentication server—The
  server containing the back-end database that makes authentication
  decisions. (Junos OS supports RADIUS authentication servers.) The
  authentication server contains credential information for each supplicant
  that can connect to the network. The authenticator forwards credentials
  supplied by the supplicant to the authentication server. If the credentials
  forwarded by the authenticator match the credentials in the authentication
  server database, access is granted. If the credentials forwarded do
  not match, access is denied.

Table 1 lists the features
that the implementation of 802.1X authentication provides for specific
devices. (Platform support depends on the Junos OS release in your
installation.). Table 2 lists
the supplicant capacities that the implementation of 802.1X authentication
provides for specific devices.

Table 1: 802.1X Authentication Features

Feature

SRX300/SRX320

SRX340/SRX345

SRX550M

SRX1500

Dynamic VLAN assignment

Yes

Yes

Yes

Yes

MAC RADIUS authentication

Yes

Yes

Yes

Yes

Static MAC bypass

Yes

Yes

Yes

Yes

Guest VLAN

Yes

Yes

Yes

Yes

RADIUS server failure fallback

Yes

Yes

Yes

Yes

VoIP VLAN support

Yes

Yes

Yes

Yes

RADIUS accounting

Yes

Yes

Yes

Yes

Table 2: 802.1x Supplicant Capacities

Capacities

SRX300/SRX320

SRX340/SRX345

SRX550M

SRX1500

Supplicants per port

64

64

64

64

Supplicants per system

2K

2K

2K

2K

Supplicants with dynamic VLAN assignments

64

300

2K

2K

This topic contains the following sections:

Dynamic VLAN Assignment

When a supplicant first connects to an SRX Series device, the
authenticator sends a request to the supplicant to begin 802.1X authentication.
If the supplicant is an 802.1X-enabled device, it responds, and the
authenticator relays an authentication request to the RADIUS server.

As part of the reply to the authentication request, the RADIUS
server returns information about the VLAN to which the port belongs.
By configuring the VLAN information at the RADIUS server, you can
control the VLAN assignment on the port.

MAC RADIUS Authentication

If the authenticator sends three requests to a supplicant to
begin 802.1X authentication and receives no response, the supplicant
is considered nonresponsive. For a nonresponsive supplicant, the authenticator
sends a request to the RADIUS server for authentication of the supplicant’s
MAC address. If the MAC address matches an entry in a predefined list
of MAC addresses on the RADIUS server, authentication is granted and
the authenticator opens LAN access on the interface where the supplicant
is connected.

You can configure the number of times the authenticator attempts
to receive a response and the time period between attempts.

Static MAC Bypass

The authenticator can allow particular supplicants direct access
to the LAN, bypassing the authentication server, by including the
supplicants’ MAC addresses in the static MAC bypass list configured
on the SRX Series device. Supplicants’ MAC addresses are first
checked against this list. If a match is found, the corresponding
supplicant is considered successfully authenticated and the interface
is opened up for it. No further authentication is done for that supplicant.
If a match is not found and 802.1X authentication is enabled for the
supplicant, the device continues with MAC RADIUS authentication on
the authentication server.

For each MAC address in the list, you can configure the VLAN
to which the supplicant is moved or the interfaces on which the supplicant
can connect.

Guest VLAN

You can specify a guest VLAN that provides limited network access
for nonresponsive supplicants. If a guest VLAN is configured, the
authenticator connects all nonresponsive supplicants to the predetermined
VLAN, providing limited network access, often only to the Internet.
This type of configuration can be used to provide Internet access
to visitors without compromising company security.

Note

In 802.1X, MAC RADIUS, and guest VLAN must not be configured
together, because guest VLAN does not work when MAC RADIUS is configured.

IEEE 802.1X provides LAN access to nonresponsive hosts, which
are hosts where 802.1X is not enabled. These hosts, referred to as
guests, typically are provided access only to the Internet.

RADIUS Server Failure Fallback

You can define one of four actions to be taken if no RADIUS
authentication server is reachable (if, for example, a server failure
or a timeout has occurred on the authentication server).

• deny—(default) Prevent
  traffic from flowing from the supplicant through the interface.

• permit—Allow traffic
  to flow from the supplicant through the interface as if the supplicant
  were successfully authenticated by the RADIUS server.

• use-cache—Force successful
  authentication if authentication was granted before the failure or
  timeout. This ensures that authenticated users are not adversely affected
  by a failure or timeout.

• vlan vlan-name | vlan-id —Move the supplicant to a
  different VLAN specified by name or ID. This applies only to the first
  supplicant connecting to the interface.

Note

For the permit, use-cache, and vlan fallback actions to work,
802.1X supplicants need to accept an out-of-sequence SUCCESS packet.

For RADIUS server settings, see Table 3.

Table 3: RADIUS Server Settings

Field

Function

Your Action

IP Address

Specifies the IP address of the server.

Enter the IP address in dotted decimal notation.

Password

Specifies the login password.

Enter the password.

Confirm Password

Verifies the login password for the server.

Reenter the password.

Server Port Number

Specifies the port with which the server is associated.

Type the port number.

Source Address

Specifies the source address of the SRX Series device for communicating
with the server.

Type the IP address in dotted decimal notation.

Retry Attempts

Specifies the number of login retries allowed after a login
failure.

Type the number.

Timeout

Specifies the time interval to wait before the connection to
the server is closed.

Type the interval in seconds.

For 802.1X exclusion list details, see Table 4.

Table 4: 802.1X Exclusion List

Field

Function

Your Action

MAC Address

Specifies the MAC address to be excluded from 802.1X authentication.

Enter the MAC address.

Exclude if connected through the port

Specifies that a supplicant can bypass authentication if it
is connected through a particular interface.

Select to enable the option. Select the port through which the
supplicant is connected.

Move the host to the VLAN

Moves the host to a specific VLAN once the host is authenticated.

Select to enable the option. Select the VLAN from the list.

For 802.1X port settings, see Table 5.

Table 5: 802.1X Port Settings

Field

Function

Your Action

Supplicant Mode

Supplicant Mode

Specifies the mode to be adopted for supplicants:

• Single secure—Allows only one host for authentication.

• Multiple—Allows multiple hosts for authentication.
  Each host is checked before being admitted to the network.

• Single mode authentication for multiple hosts—Allows
  multiple hosts but only the first is authenticated.

Select the required mode.

Authentication

Enable re-authentication

Specifies enabling reauthentication on the selected interface.

Select to enable reauthentication. Enter the timeout for reauthentication
in seconds.

Action for nonresponsive hosts

Specifies the action to be taken in case a supplicant is nonresponsive:

• Move to the Guest VLAN—Moves the supplicant to the
  specified Guest VLAN.

• Deny—Does not permit access to the supplicant.

Select the required action.

Timeouts

Specifies timeout values for:

• Port waiting time after an authentication failure

• EAPOL retransmitting interval

• Maximum EAPOL requests

• Maximum number of retries

• Port timeout value for a response from the supplicant

• Port timeout value for a response from the RADIUS server

Enter timeout values in seconds for the appropriate options.

VoIP VLAN Support

When VoIP is used with 802.1X, the RADIUS server authenticates
the phone, and Link Layer Discovery Protocol–Media Endpoint
Discovery (LLDP-MED) provides the class-of-service (CoS) parameters
for the phone.

You can configure 802.1X authentication to work with VoIP in
multiple-supplicant or single-supplicant mode:

• Multiple-supplicant mode—Allows
  multiple supplicants to connect to the interface. Each supplicant
  is authenticated individually.

• Single-supplicant mode—Authenticates
  only the first supplicant. All other supplicants that connect later
  to the interface are allowed to piggyback on
  the first supplicant’s authentication and gain full access.

RADIUS Accounting

Configuring RADIUS accounting on a SRX Series device lets you
collect statistical data about users logging in to and out off a LAN,
and sends it to a RADIUS accounting server. The collected data can
be used for general network monitoring, to analyze and track usage
patterns, or to bill a user on the basis of the amount of time or
type of services accessed.

To configure RADIUS accounting, specify one or more RADIUS accounting
servers to receive the statistical data from the device, and select
the type of accounting data to be collected. To view the collected
statistics, you can access the log file configured to receive them.

Server Reject VLAN

By default, when authentication fails, the supplicant is denied
access to the network. However, you can specify a VLAN to which the
supplicant is moved if authentication fails. The server reject VLAN
is similar to a guest VLAN. With a server reject VLAN, however, authentication
is first attempted by credential, then by MAC address. If both authentication
methods fail, the supplicant is given access to a predetermined VLAN
with limited network access.

Release

Description

15.1X49-D80

Starting
in Junos OS 15.1X49-D80, 802.1X port-based authentication is supported
on SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 devices.

15.1X49-D40

From Junos
OS Release 15.1X49-D40 to Junos OS Release 15.1X49-D75 and Junos OS
Release 17.3R1, IEEE 802.1X port-based network authentication is not
supported.