How to Control Access to VLANs in Junos

By Walter J. Goralski, Cathy Gadecki, Michael Bushong

To limit network use only to valid users, you need to set up network admission control (NAC) policies on the switches. Admission control allows you to strictly control who can access the network, preventing unauthorized users from logging in and enforcing policies for network access (like ensuring that authorized users have the latest antivirus software and operating system patches installed on their PCs and laptops).

The Junos OS software on EX series switches can use the IEEE 802.1X protocol (often just called dot-one-ex) to provide authentication of all devices when they initially connect to your LAN. The actual authentication is done by separate software or a separate server, generally a RADIUS authentication server that is connected to one of the switches on your LAN.

To set up admission control on the switch, follow these steps:

  1. Configure the address of the RADIUS servers, along with a password that the RADIUS server uses to validate requests from the switch.

    This example uses the address 192.168.1.2:

    [edit access]
    user@junos-switch# set radius-server 192.168.1.2 secret my-password

    The secret keyword in this command configures the password that the switch uses to access the RADIUS server.

    In case the switch has several interfaces that can reach the RADIUS server, you can assign an IP address that the switch can use for all its communication with the RADIUS server. In this example, you choose the address 192.168.0.1:

    [edit access]
    user@junos-switch# set radius-server 192.168.1.2 source-address
      192.168.0.1
  2. Set up an authentication profile to be used by 802.1X:

    [edit access]
    user@junos-switch# set profile my-profile authentication-order radius
    [edit access]
    user@junos-switch# set profile my-profile radius authentication-server
      192.168.1.2

    The first command requires the switch to contact a RADIUS server when sending authentication messages. (The other available options are LDAP servers or local password authentication.) The second command shows the address of the authentication server (which you just configured in the previous step).

  3. Configure the 802.1X protocol itself, specifying the access permissions on the switch interfaces:

    You can do so interface by interface, as follows:

    [edit protocols]
    user@junos-switch# set dot1x authenticator authentication-profile-name my-
      profile interface ge-0/0/1.0
    [edit protocols]
    user@junos-switch# set dot1x authenticator authentication-profile-name my-
      profile interface ge-0/0/2.0 supplicant single-secure

    The authentication-profile-name statement associates the authentication profile established in the previous step with this interface.

    Note that you specify the logical interface name (ge-0/0/1.0), not the physical interface name (ge-0/0/1).

In Step 3, the keyword supplicant (which is the 802.1X term for a network device seeking authentication) defines the administrative mode for authentication on the LAN:

  • Single mode: Authenticates only the first device that connects to the switch port and allows access to any devices that later connect to the same port without further authentication. When the first authenticated device logs out, all other devices are locked out of the LAN. This mode is the default, so you don’t need to include it in the configuration.

  • Single-secure mode: Authenticates only one network device per port. In this mode, additional devices that later connect to the same port are not allowed to send or receive traffic, nor are they allowed to authenticate.

  • Multiple: Authenticates each device that connects to the switch port individually. In this mode, additional devices that later connect to the same port are allowed to authenticate and, if successful, to send and receive traffic.

When using single mode, only the first device is authenticated, and this configuration can be considered to be a security hole. If you foresee problems, use the single-secure or multiple mode.

If the authentication mode is the same on all switch ports, you can configure 802.1X parameters to apply to all interfaces by using the keyword all instead of an interface name:

[edit protocols]
user@junos-switch# set dot1x authenticator interface all