How to setup tagged vlans with 802.1x authentication on Juniper EX3300 switch
2 weeks ago
I would like to send tagged vlans from RADIUS (Aruba ClearPass) during AP's supplicant authentication. I would like to dynamically setup vlans on switch port for AP (Aruba Instant Access Point). I have some SSID and each SSID has a seperate vlan (there is no tunneling vlans to controller, only bridging)
Is it possible ? I have Juniper EX 3300 virtual chassis with Junos: 15.1R7.9.
In your case, if you want to bridge/trunk VLANs from IAP and also authenticate the AP itself, then it's better to set up 802.1x authentication on EX for the IAP but not assign any VLAN. Then use 802.1x for wireless users and use either Aruba's dynamic VLAN or server rule with "Filter-Id" to assign a VLAN for authenticated user. There's plenty of resources for that in Aruba community, for example https://community.arubanetworks.com/t5/Controllerless-Networks/Setup-Dynamic-Vlans/td-p/91772.
Re: How to setup tagged vlans with 802.1x authentication on Juniper EX3300 switch
2 weeks ago
Thank You for all responses.
Yes it seems so that on EX 3000 802.1x on trunk port is not supported at this moment, I have also digged through docs and it seems so that one dynamic vlan is supported.
I generally understand the idea of changing vlans on Aruba itself with 802.1x and Radius VSA but don't understand how do You want to ommit problem with setting vlans and trunk on switch port where AP is connected ? Even when I use only one SSID and dynamically change vlans on AP, stiil have communication for this vlans on switch port ? What is your idea ?
For me the solution could be to tunnel traffic from AP to other device (we have Jun SRX here) with GRE tunnel but is is a little bit complicated.
You may need even need the dynamic VLANs if there’s no need to do this per user and if you’re good with the VLANs the user falls into from your SSID config. And if the IAP supports trunking (believe it does by default on Eth0, for other ports there’s wired-profile config needed), then just enable your switch ports for trunking all your (SSID) VLANs too. And from the switch you need routing/switching for these VLANs out similar to any wired traffic. Please be aware of : https://community.arubanetworks.com/t5/Controllerless-Networks/creation-of-a-trunk-link-between-the-...
If there’s another requirement we’re missing here, please explain with the topology else please resolve the post I guess. LOL