Identity and Policy Control
Reply
Contributor
zerofai
Posts: 15
Registered: ‎06-02-2011
0

UAC 802.1x for failed authen client?

Hi all,

I am testing deployment option for UAC. I am able to configure UAC to work with Juniper and Cisco switch, and switch non 802.1x client to guest VLAN, and my authorized 802.1x Windows machine with open port action.

When I test the case that a non authorized 802.1x aware client connect to the port, I see authentication fail information from user access logs, as the credential cannot match any realms. And authentication failed, the port not able to switch to Guest VLAN.

Is there anyway to create a realms to catch those failed authen client? I have try anonymous but not success.

Please advise!

Cheers,
Fai

Recognized Expert
Raveen
Posts: 381
Registered: ‎04-15-2010
0

Re: UAC 802.1x for failed authen client?

1. You can configure MAC-Auth-Bypass in the switch, and create a mac-auth realm in IC to authenticate Guest users.

2. You can configure Auth-Fail VLAN in switch and enforce the clients to a particular VLAN.

3. If  there be any radius-attribute in Radius-request packet that is unique to the Guest access, then we can create Radius request policies in IC and do anonymous authentication.

 

You can choose either of the above.

 

Note: You could mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

 

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Contributor
zerofai
Posts: 15
Registered: ‎06-02-2011
0

Re: UAC 802.1x for failed authen client?

Hi Raveen, Thanks, so there is no method to specify a VLAN for failed authen client? As I see this option in other vendor products. Regards, Fai
Recognized Expert
Raveen
Posts: 381
Registered: ‎04-15-2010
0

Re: UAC 802.1x for failed authen client?

The third option that I mentioned in my earlier reply would allow IC to send VLAN attributes.

May be based on client's mac-address or nas-port or any other radius-attribute you can filter and do anonymous authentication.

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Recognized Expert
Raveen
Posts: 381
Registered: ‎04-15-2010
0

Re: UAC 802.1x for failed authen client?

You could do realm slection based on EAP-Type as well.

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.