Identity and Policy Control
Reply
Visitor
jbruneel
Posts: 3
Registered: ‎03-16-2011
0

Mac authentication (Radius attributes) on Juniper UAC

How does Juniper UAC differentiate the radius request for user authenticaion and/or mac authentication.

What parameters does the radius request have that the UAC decides to use the MAC authentication Realm ?

 

I am trying to use a Mac filter with a Cisco WLC, but the request keeps on coming through as a user authentication raquest, and I would prefer that the UAC handles this as a Mac authentication raquest.

Super Contributor
apaul
Posts: 161
Registered: ‎11-06-2009
0

Re: Mac authentication (Radius attributes) on Juniper UAC

Hello,

 

When a device connects to a switch, the switch forwards the MAC address to the IC Series device as the login credential. The IC Series device RADIUS server consults the authentication server (either a local database or an external LDAP server) and allows or denies access to the device based on whether there is a matching entry.

The IC Series device supports several formats for MAC address credentials, including no-delimiter 003048436665, single dash 003048-436665, multidash 00-30-48-43-66-65, and multicolon 00:30:48:43:66:65.


Some switches uses CHAP and EAP-MD5-Challenge protocols for MAC address authentication with the username,the MAC address.

 

Hope this helps

Ashish Paul
Visitor
jbruneel
Posts: 3
Registered: ‎03-16-2011
0

Re: Mac authentication (Radius attributes) on Juniper UAC

Hello,

 

I understand the process you describe above, but how does the UAC decide to use the MAc authentication Realm for the location group the switch is in ?

 

 

Distinguished Expert
Raveen
Posts: 569
Registered: ‎04-15-2010
0

Re: Mac authentication (Radius attributes) on Juniper UAC

Adding to what Ashish said..

 

The condition is that the incoming radius request should contain both User-Name and User-Password attribute with value as Mac-Address of the endpoint.

 

If the above condition is not met, you can see below log message in Radius troubleshooting log file,

 

"MAC-based authentication failed. This may be a non-MAC-based login."

 

Note: You should have Mac Auth realm, MAC Auth server/LDAP, Role mapping configured.

 

Regards,

Raveen

 

 

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Super Contributor
apaul
Posts: 161
Registered: ‎11-06-2009
0

Re: Mac authentication (Radius attributes) on Juniper UAC

MAC Auth requires,

  1. User Name is a mac address
  2. Password matches Username
  3. Protocol : PAP, CHAP, MSCHAP, MSCHAPv2, EAP-MSCHAP-Challenge, EAP-MSCHAPv2.

Thanks

Ashish Paul
Contributor
Stanislas P
Posts: 35
Registered: ‎10-18-2010
0

Re: Mac authentication (Radius attributes) on Juniper UAC

Hi,

 

The  Authentication Realm is identified by the protocol set used

  • Mac authentication use PAP protocol
  • 802.1X use EAP protocols

 

Regards,

 

Stanislas

Visitor
jbruneel
Posts: 3
Registered: ‎03-16-2011
0

Re: Mac authentication (Radius attributes) on Juniper UAC

Thank you for this valuable information is there any requirements for the Radius Access-Request Message ?

 

For a switch is see the message is service-type Login-User and the UAC processes this as a Macuauth.

Coming form the Cisco WLC the message is service-type Call-Check and this is not processed as Macauth.

 

 

 

Distinguished Expert
Raveen
Posts: 569
Registered: ‎04-15-2010
0

Re: Mac authentication (Radius attributes) on Juniper UAC

Service-Type with value Call-Check should not be an issue as long as you meet the requirements that we have provided earlier. And for your information, I did test with service-type as call-check, IC processes the request without any issue.

 

Can you attach tcp-dump and radius troubleshooting logs?

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.