Ethernet Switching
Highlighted
Ethernet Switching

CWA in EX switches

‎09-16-2017 03:17 AM

Hi,

 

I'm having a weird issue and was wondering if anyone noticed it as well.

I have recently implemented Aruba ClearPass NAC system on a network comprised of Juniper EX4300 and EX3300 switches running JunOS 15.1R6-S3.

See following documentation: https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/nce160-example-ar...

 

After fixing some issues in the manual (e.g. URI contains "?&mac=" instead of "?mac="), I still cannot get the CWA or the JNPR_RSVD_FILTER_CWA filter to work, while in the traceoptions I see the Redirect URL, VLAN, and a manually configured firewall filter, and most of them are veing applied, I cannot get the switch to apply the redirect URL.

 

The only difference I can think of is that I am trying to create a "Walled Garden" scenario rather than a Guest access one, meaning I expect the CWA redirect to be applied when the user has been authenticated via 802.1x EAP-TLS rather than MAB.

 

Attaching the dot1x traceoptions for reference.

 

Can anyone offer an answer?

Attachments

4 REPLIES 4
Ethernet Switching

Re: CWA in EX switches

‎09-20-2017 06:58 PM

Hi

 

This should work

 

Example Config.

 

protocols {
    dot1x {
       authenticator {
            authentication-profile-name hss-auth_prof;
            interface {
                ge-0/0/45.0 {
                    supplicant multiple;
                    quiet-period 3;
                    transmit-period 3;
             mac-radius;
                    supplicant-timeout 10;
                }
                ge-0/0/46.0 {
                    supplicant multiple;
                    quiet-period 3;
                    transmit-period 3;
                    mac-radius;
                    supplicant-timeout 10;
                }
            }
        }
    }
    
ccess {
    radius-server {
        10.2.101.117 {
            port 1812;
            dynamic-request-port 3799;
            source-address x.x.x.x;
        }
    }
    profile hss-auth_prof {
        authentication-order radius;
        radius {
            authentication-server x.x.x.x;
            accounting-server x.x.x.x;
            options {
                nas-identifier x.x.x.x;
            }
        }
        radius-server {
            x.x.x.x {
             dynamic-request-port 3799;
            }
        }
    }
}

    services {
        ssh {
            root-login allow;
            protocol-version v2;
        }
        web-management {
            http;
            https {
                system-generated-certificate;
            }
    }
    }

   

 

Regards

Partha

Ethernet Switching

Re: CWA in EX switches

‎09-25-2017 09:48 PM

Can you post your relevant config ?

Here are two other links which you can also look:

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/central-web-authenticati...

https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/nce160-aruba-gues...

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Ethernet Switching

Re: CWA in EX switches

‎09-26-2017 08:34 AM

I don't think it will make any difference, but I might suggest for EX4300 running 14.1X53-D45, and 12.3R12 (or 12.3R12-S6) on your EX3300, versus 15.1[period], even R6-S3.

 

I know this functionality works with Aruba, but no real experience with 15.1 in such environments.

 

Just FYI and good luck.

Ethernet Switching

Re: CWA in EX switches

‎07-01-2019 08:22 AM

Did you ever figure this out?