Switching

Model: ex2200-48t-4g
JUNOS Base OS Software Suite [12.3R2.5]

I configured EX-2200 with 802.1X Authentication  using Windows 2008 R2 NPS as the Radius with Active Directory DB.

dot1x config:

traceoptions {
    file dot1x;
    flag state;
    flag dot1x-debug;
    flag eapol;
}
authenticator {
    authentication-profile-name WIRED;
    interface {
        ge-0/0/2.0 {
            supplicant multiple;
            retries 2;
            quiet-period 15;
            transmit-period 7;
            mac-radius;
            reauthentication 3600;
            supplicant-timeout 4;
            server-timeout 5;
            maximum-requests 3;
            guest-vlan ROUTED_Registration;
            server-reject-vlan ROUTED_Registration;
            server-fail vlan-name ROUTED_Registration;

When was connected a PC member of my AD + (service wired authentication on) everything was fine, the user was authenticated and dynamic vlan assignment  attached VLAN on the switch port.  (OK)

But when I connected a PC that isn't a member of our AD (Guest PC) NPS radius server reject (denied) it, as explain in juniper technical documents, but unfortunately, the switch didn't attach on this port any vlan, the command "server-reject-vlan" and "guest-vlan" was set up. (NOK)

I just want the switch to send 2 attempts (retries=2) and if the radius is timeout or reject the request to put the PC in Guest VLAN.

Can somebody help me with this issue, here I put down 2 pieces of debug. I attached a full debug.txt and wireshark pic.

*** dot1x *** SUCCESS
May 18 09:55:22 trace_on: Tracing to "/var/log/dot1x" started
May 18 09:55:22.587114 bytes_remnant 3018 tot_bytes_read 28
May 18 09:55:22.622896 bytes_read 3018
May 18 09:55:22.622999 Creating background job to process reply from authentication client
May 18 09:55:22.623256 Entering background job to process message from authentication client
May 18 09:55:22.623375 process_auth_reply len:3046
May 18 09:55:22.623517 Received VLAN ID/name 10 from authentication server
May 18 09:55:22.626130 Received Access-Accept authentication message
May 18 09:55:22.628819 Invoking state machine for authentication response for mac a0:b3:cc:29:e9:eb on intf ge-0/0/2.0
May 18 09:55:22.629192  ASIF: Handing over Server frame to Authenticator



*** dot1x *** REJECT
May 18 14:55:12.063932 hdr_bytes_read 0
May 18 14:55:12.064036 len read : 28 reply_len: 2944
May 18 14:55:12.064161 bytes_remnant 2916 tot_bytes_read 28
May 18 14:55:12.064329 bytes_read 2916
May 18 14:55:12.065677 Creating background job to process reply from authentication client
May 18 14:55:12.065939 Entering background job to process message from authentication client
May 18 14:55:12.066059 process_auth_reply len:2944
May 18 14:55:12.066188 No VLAN attributes configured or Captive-Portal enabled
May 18 14:55:12.066296 Received Access-Reject authentication message
May 18 14:55:12.066829 pnac_apply_access_reject_vlan portnum:71
May 18 14:55:12.066962 Server Reject VLAN ROUTED_Registration
May 18 14:55:12.067733 Invoking state machine for authentication response for mac 00:25:64:62:1f:a2 on intf ge-0/0/2.0
May 18 14:55:12.067909 vlan data is NULL for idx 71

Thank you in advance.

Attachment(s)

full debug dot1x.txt   43 KB 1 version

I do see the following in your debug, which makes me think it's actually working. 

May 18 15:14:58.525193 Client moved to dynamic VLAN ROUTED_Registration

But if using mac-radius authentication and not specifying "restrict", I've had instances where it would take too long to switch over and the client would get the Microsoft APIPA address.  Eventually it would work, but I've limited the scope of mixed radius and mac-radius authentication.  Though, I may be facing the same issues when we change our phone systems to handsets that don't support 802.1X.

What do you see when you run the following commands?

> show dot1x interface ge-0/0/2.0

> show ethernet-switching table interface ge-0/0/2.0

Any messages in the system log?

> show log messages | match dot1x

I've done exactly what you are trying with NPS and the following config:

EX2200# show groups
G_DOT1X_DEFAULTS {
    protocols {
        dot1x {
            authenticator {
                interface {
                    <*> {
                        quiet-period 5;
                        reauthentication 300;
                        supplicant-timeout 5;
                        maximum-requests 2;
                    }
                }
            }
        }
    }
}

EX2200# show access
radius-server {
    XX.XX.XX.XX {
        port 1645;
        secret "<IT'S A SECRET>"; ## SECRET-DATA
        timeout 5;
        retry 2;
        source-address YY.YY.YY.YY;
    }
}
profile auth-profile-clnps01 {
    authentication-order radius;
    radius {
        authentication-server XX.XX.XX.XX;
    }
}

EX2200# show protocols dot1x
authenticator {
    authentication-profile-name auth-profile-clnps01;
    interface {
        ge-0/0/18.0 {
            apply-groups G_DOT1X_DEFAULTS;
            supplicant multiple;
            guest-vlan V20;
            server-reject-vlan V20;
            server-fail vlan-name V20;
        }
        ge-0/0/21.0 {
            apply-groups G_DOT1X_DEFAULTS;
            supplicant multiple;
            guest-vlan V20;
            server-reject-vlan V20;
            server-fail vlan-name V20;
        }
    }
}

Hello nkorosi,

thank you for reply.

Yes, I agree with you about  the line in debug.txt dot1x :"May 18 15:14:58.525193 Client moved to dynamic VLAN ROUTED_Registration", maybe switch put this port for a second or two in Guest Vlan, but after this it don't stop to request radius for new authentication and clear the port vlan 😞 I want just 2 retries if reject then put it in Guest Vlan. I have other switches Cisco and with mac-address bypass (MAB) this scenario works without issues.

For JunOS I found:

http://www.juniper.net/techpubs/en_US/junos12.3/topics/example/802-1x-pnac-eap-ttls-odyssey-access-clients.html

I cannot use "mac-address restrict" - because I want that my users to auth from AD with their HOST accounts.

What do you see when you run the following commands?

> show dot1x interface ge-0/0/2.0

> show ethernet-switching table interface ge-0/0/2.0

cci@JUN-DOT1X> show dot1x interface ge-0/0/2.0
802.1X Information:
Interface     Role           State           MAC address          User
ge-0/0/2.0    Authenticator  Connecting

{master:0}
cci@JUN-DOT1X> show ethernet-switching table interface ge-0/0/2.0
Ethernet-switching table: 0 unicast entries
  VLAN              MAC address       Type         Age Interfaces
  default           *                 Flood          - All-members

cci@JUN-DOT1X> show dot1x interface detail ge-0/0/2.0
ge-0/0/2.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Multiple
  Number of retries: 2
  Quiet period: 15 seconds
  Transmit period: 7 seconds
  Mac Radius: Enabled
  Mac Radius Restrict: Disabled
  Reauthentication: Enabled
  Configured Reauthentication interval: 3600 seconds
  Supplicant timeout: 4 seconds
  Server timeout: 5 seconds
  Maximum EAPOL requests: 3
  Guest VLAN member: ROUTED_Registration
  Number of connected supplicants: 1
    Supplicant: No User, A0:B3:CC:29:E9:EB
      Operational state: Connecting
      Backend Authentication state: Idle
      Authentcation method: None
      Session Reauth interval: 0 seconds
      Reauthentication due in 0 seconds

May be the problem is : "Authentcation method: None"?

Any messages in the system log?

> show log messages | match dot1x

attached.

Attachment(s)

sho log mess.txt   4 KB 1 version

SOLVED.

The solution was to change JunOS to a stable version -> 11.4R8.5

sw EX-2200 configuration:

cci@JUN-DOT1X> show configuration | display set
set version 11.4R8.5
set system host-name JUN-DOT1X
set system domain-name TESTED.md
set system time-zone Europe/Chisinau
set system name-server 172.16.0.201
set system name-server 172.16.0.202
set system name-server 2a01:c8cf:ffd9::aaa1
*********** login users ommited ***************
set system services ssh
set system services web-management https system-generated-certificate
set system services dhcp traceoptions file dhcp_logfile
set system services dhcp traceoptions level all
set system services dhcp traceoptions flag all
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set chassis auto-image-upgrade
*********** interface ommited ***************
set interfaces ge-0/0/47 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/47 unit 0 family ethernet-switching vlan members Registration
set interfaces ge-0/0/47 unit 0 family ethernet-switching vlan members Isolation
set interfaces ge-0/0/47 unit 0 family ethernet-switching vlan members DATA
set interfaces ge-0/0/47 unit 0 family ethernet-switching vlan members ALL_LAN
set interfaces ge-0/0/47 unit 0 family ethernet-switching vlan members MGMT
set interfaces ge-0/1/0 unit 0 family ethernet-switching
set interfaces ge-0/1/1 unit 0 family ethernet-switching
set interfaces ge-0/1/2 unit 0 family ethernet-switching
set interfaces ge-0/1/3 unit 0 family ethernet-switching
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
set interfaces me0 unit 0 family inet dhcp
set interfaces vlan unit 0 family inet dhcp
set interfaces vlan unit 255 family inet address 192.168.255.180/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.255.1
set protocols neighbor-discovery
set protocols igmp-snooping vlan all
set protocols dot1x traceoptions file dot1x
set protocols dot1x traceoptions flag state
set protocols dot1x traceoptions flag dot1x-debug
set protocols dot1x traceoptions flag eapol
set protocols dot1x authenticator authentication-profile-name WIRED
set protocols dot1x authenticator interface ge-0/0/0.0 supplicant single
set protocols dot1x authenticator interface ge-0/0/0.0 retries 2
set protocols dot1x authenticator interface ge-0/0/0.0 quiet-period 15
set protocols dot1x authenticator interface ge-0/0/0.0 transmit-period 7
set protocols dot1x authenticator interface ge-0/0/0.0 reauthentication 3600
set protocols dot1x authenticator interface ge-0/0/0.0 supplicant-timeout 4
set protocols dot1x authenticator interface ge-0/0/0.0 server-timeout 5
set protocols dot1x authenticator interface ge-0/0/0.0 maximum-requests 3
set protocols dot1x authenticator interface ge-0/0/0.0 guest-vlan Registration
set protocols dot1x authenticator interface ge-0/0/0.0 server-reject-vlan Registration
set protocols dot1x authenticator interface ge-0/0/0.0 server-fail vlan-name Registration
set protocols dot1x authenticator interface ge-0/0/2.0 supplicant multiple
set protocols dot1x authenticator interface ge-0/0/2.0 retries 2
set protocols dot1x authenticator interface ge-0/0/2.0 quiet-period 15
set protocols dot1x authenticator interface ge-0/0/2.0 transmit-period 7
set protocols dot1x authenticator interface ge-0/0/2.0 reauthentication 3600
set protocols dot1x authenticator interface ge-0/0/2.0 supplicant-timeout 4
set protocols dot1x authenticator interface ge-0/0/2.0 server-timeout 5
set protocols dot1x authenticator interface ge-0/0/2.0 maximum-requests 3
set protocols dot1x authenticator interface ge-0/0/2.0 guest-vlan Registration
set protocols dot1x authenticator interface ge-0/0/2.0 server-reject-vlan Registration
set protocols dot1x authenticator interface ge-0/0/2.0 server-fail vlan-name Registration
set protocols vstp vlan 10 bridge-priority 32k
set protocols vstp vlan 151 bridge-priority 32k
set protocols vstp vlan 152 bridge-priority 32k
set protocols vstp vlan 153 bridge-priority 32k
set protocols vstp vlan 255 bridge-priority 32k
set protocols lldp interface all
set protocols lldp-med interface all
set access radius-server 192.168.200.50 port 1812
set access radius-server 192.168.200.50 secret "$9$hxyrMX-Vwg4ZNdqmP5/9"
set access radius-server 192.168.200.50 timeout 5
set access radius-server 192.168.200.50 retry 2
set access profile WIRED authentication-order radius
set access profile WIRED radius authentication-server 192.168.200.50
set ethernet-switching-options voip
set ethernet-switching-options storm-control interface all
set vlans ALL_LAN vlan-id 10
set vlans MGMT vlan-id 255
set vlans MGMT l3-interface vlan.255
set vlans DATA vlan-id 153
set vlans Isolation vlan-id 152
set vlans Registration vlan-id 151
set vlans default


First PC - WIN XP - auth user account (Active Directory)
The second - WIN 7 - auth computer account (Active Directory)

cci@JUN-DOT1X> show dot1x interface
802.1X Information:
Interface     Role           State           MAC address          User
ge-0/0/0.0    Authenticator  Authenticated   00:25:64:62:1F:A2    MAIN\VStognienco
ge-0/0/2.0    Authenticator  Authenticated   A0:B3:CC:29:E9:EB    host/EB-CZC2351FC2.main.TESTED.md

cci@JUN-DOT1X> show dot1x interface detail
ge-0/0/0.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Single
  Number of retries: 2
  Quiet period: 15 seconds
  Transmit period: 7 seconds
  Mac Radius: Disabled
  Mac Radius Restrict: Disabled
  Reauthentication: Enabled
  Configured Reauthentication interval: 3600 seconds
  Supplicant timeout: 4 seconds
  Server timeout: 5 seconds
  Maximum EAPOL requests: 3
  Guest VLAN member: Registration
  Number of connected supplicants: 1
    Supplicant: MAIN\VStognienco, 00:25:64:62:1F:A2
      Operational state: Authenticated
      Backend Authentication state: Idle
      Authentcation method: Radius
      Authenticated VLAN: ALL_LAN
      Session Reauth interval: 3600 seconds
      Reauthentication due in 3562 seconds
ge-0/0/2.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Multiple
  Number of retries: 2
  Quiet period: 15 seconds
  Transmit period: 7 seconds
  Mac Radius: Disabled
  Mac Radius Restrict: Disabled
  Reauthentication: Enabled
  Configured Reauthentication interval: 3600 seconds
  Supplicant timeout: 4 seconds
  Server timeout: 5 seconds
  Maximum EAPOL requests: 3
  Guest VLAN member: Registration
  Number of connected supplicants: 1
    Supplicant: host/EB-CZC2351FC2.main.TESTED.md, A0:B3:CC:29:E9:EB
      Operational state: Authenticated
      Backend Authentication state: Idle
      Authentcation method: Radius
      Authenticated VLAN: ALL_LAN
      Session Reauth interval: 3600 seconds
      Reauthentication due in 3389 seconds


cci@JUN-DOT1X> show vlans
Name           Tag     Interfaces
ALL_LAN        10
                       ge-0/0/0.0*, ge-0/0/2.0*, ge-0/0/47.0*
MGMT           255
                       ge-0/0/47.0*
DATA    153
                       ge-0/0/47.0*
Isolation 152
                       ge-0/0/47.0*
Registration 151
                       ge-0/0/47.0*

                       

                       
                       
                       
 Default GuestVlan:

Interface     Role           State           MAC address          User
ge-0/0/0.0    Authenticator  Initialize
ge-0/0/2.0    Authenticator  Connecting      A0:B3:CC:29:E9:EB    No User

cci@JUN-DOT1X> show dot1x interface
802.1X Information:
Interface     Role           State           MAC address          User
ge-0/0/0.0    Authenticator  Initialize
ge-0/0/2.0    Authenticator  Authenticated   A0:B3:CC:29:E9:EB    No User

cci@JUN-DOT1X> show dot1x interface
802.1X Information:
Interface     Role           State           MAC address          User
ge-0/0/0.0    Authenticator  Initialize
ge-0/0/2.0    Authenticator  Authenticated   A0:B3:CC:29:E9:EB    No User


ge-0/0/2.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Multiple
  Number of retries: 2
  Quiet period: 15 seconds
  Transmit period: 7 seconds
  Mac Radius: Disabled
  Mac Radius Restrict: Disabled
  Reauthentication: Enabled
  Configured Reauthentication interval: 3600 seconds
  Supplicant timeout: 4 seconds
  Server timeout: 5 seconds
  Maximum EAPOL requests: 3
  Guest VLAN member: Registration
  Number of connected supplicants: 1
    Supplicant: No User, A0:B3:CC:29:E9:EB
      Operational state: Authenticated
      Backend Authentication state: Idle
      Authentcation method: GuestVlan
      Authenticated VLAN: Registration
      Session Reauth interval: 3600 seconds
      Reauthentication due in 3557 seconds


cci@JUN-DOT1X> show vlans
Name           Tag     Interfaces
ALL_LAN        10
                       ge-0/0/47.0*
MGMT           255
                       ge-0/0/47.0*
DATA    153
                       ge-0/0/47.0*
Isolation 152
                       ge-0/0/47.0*
Registration 151
                       ge-0/0/2.0*, ge-0/0/47.0*