Hi.
We planning migration from Cisco cat3560 to Jun EX4200 48P
So I am testing in Lab EX capabilities.
I have some problems with dot1x.
It works as described in manuals/books and examples on version 11.4R8
But I want to use 12.3R3.4 (because it has NSSU, lldp-med-bypass, and JTAC recommenden 🙂 from recent time)
On version 12.3R3.4 I have problems with simple things. For example it not aplly server-fail vlan when Radius server is unavailable.
It tries to authenticate some times:
user@lab-ex4200-2> show dot1x interface ge-1/0/0 detail
ge-1/0/0.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 1
Quiet period: 60 seconds
Transmit period: 2 seconds
Mac Radius: Disabled
Mac Radius Restrict: Disabled
Reauthentication: Enabled
Configured Reauthentication interval: 7200 seconds
Supplicant timeout: 1 seconds
Server timeout: 2 seconds
Maximum EAPOL requests: 2
Guest VLAN member: Guest
Number of connected supplicants: 1
Supplicant: No User, 00:17:08:3D:6D:5B
Operational state: Connecting
Backend Authentication state: Idle
Authentcation method: None
Session Reauth interval: 0 seconds
Reauthentication due in 0 seconds
And after that see no supplicant on port
user@lab-ex4200-2> show dot1x interface ge-1/0/0 detail
ge-1/0/0.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 1
Quiet period: 60 seconds
Transmit period: 2 seconds
Mac Radius: Disabled
Mac Radius Restrict: Disabled
Reauthentication: Enabled
Configured Reauthentication interval: 7200 seconds
Supplicant timeout: 1 seconds
Server timeout: 2 seconds
Maximum EAPOL requests: 2
Guest VLAN member: Guest
Number of connected supplicants: 0
user@lab-ex4200-2> show ethernet-switching table interface ge-1/0/0
Ethernet-switching table: 0 unicast entries
VLAN MAC address Type Age Interfaces
IP-Phones * Flood - All-members
Workstations * Flood - All-members
Here is my config:
interfaces stanza
set interfaces ge-1/0/0 unit 0 family ethernet-switching port-mode access
set interfaces ge-1/0/0 unit 0 family ethernet-switching vlan members Workstations
ethernet-switching-options stanza
set ethernet-switching-options voip interface ge-1/0/0.0 vlan IP-Phones
vlans stanza
set vlans Guest vlan-id 100
set vlans IP-Phones vlan-id 20
set vlans Quarantine vlan-id 90
set vlans Workstations vlan-id 10
access stanza
set access radius-server 10.10.1.1 port 1645
set access radius-server 10.10.1.1 secret " "
set access radius-server 10.10.1.1 source-address 10.10.100.48
set access radius-server 10.10.1.2 port 1645
set access radius-server 10.10.1.2 secret " "
set access radius-server 10.10.1.2 source-address 10.10.100.48
set access profile NAP authentication-order radius
set access profile NAP radius authentication-server 10.10.1.1
set access profile NAP radius authentication-server 10.10.1.2
protocols stanza
set protocols dot1x authenticator authentication-profile-name NAP
set protocols dot1x authenticator interface all supplicant multiple
set protocols dot1x authenticator interface all retries 1
set protocols dot1x authenticator interface all transmit-period 2
set protocols dot1x authenticator interface all reauthentication 7200
set protocols dot1x authenticator interface all supplicant-timeout 1
set protocols dot1x authenticator interface all server-timeout 2
set protocols dot1x authenticator interface all guest-vlan Guest
set protocols dot1x authenticator interface all server-reject-vlan Guest
set protocols dot1x authenticator interface all lldp-med-bypass
set protocols dot1x authenticator interface all server-fail vlan-name Guest