Ethernet Switching
Ethernet Switching

How to setup tagged vlans with 802.1x authentication on Juniper EX3300 switch

2 weeks ago

Hi community 

I would like to send tagged vlans from RADIUS (Aruba ClearPass) during AP's supplicant authentication. I would like to dynamically setup vlans on switch port for AP (Aruba Instant Access Point). I have some SSID and each SSID has a seperate vlan (there is no tunneling vlans to controller, only bridging) 

Is it possible ?  I have Juniper EX 3300 virtual chassis with Junos: 15.1R7.9. 

 

Anyone has any experience with similar config ? 

 

Regards

 

Karol 

7 REPLIES 7
Ethernet Switching

Re: How to setup tagged vlans with 802.1x authentication on Juniper EX3300 switch

2 weeks ago

hi Karol,

 

 You may use the following KB as a reference for vlan assignment

https://kb.juniper.net/InfoCenter/index?page=content&id=KB12688&cat=SRX_650&actp=LIST

 

 This doc also describes how to set ArubaClearPass for the same type of authentication (some of the sections may be ignored):

https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/nce157-example-ar...

 

Ethernet Switching

Re: How to setup tagged vlans with 802.1x authentication on Juniper EX3300 switch

2 weeks ago
Hi Karol,

The KB procedure shared in previous post assigns one VLAN at a time to authenticated user. Whereas dynamic VLANs are not supported on trunk ports - see https://www.juniper.net/documentation/en_US/junos/topics/topic-map/802-1x-authentication-switching-d...
And the other link is about wired 802.1x example with Clearpass.

In your case, if you want to bridge/trunk VLANs from IAP and also authenticate the AP itself, then it's better to set up 802.1x authentication on EX for the IAP but not assign any VLAN. Then use 802.1x for wireless users and use either Aruba's dynamic VLAN or server rule with "Filter-Id" to assign a VLAN for authenticated user. There's plenty of resources for that in Aruba community, for example https://community.arubanetworks.com/t5/Controllerless-Networks/Setup-Dynamic-Vlans/td-p/91772.

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.
Ethernet Switching

Re: How to setup tagged vlans with 802.1x authentication on Juniper EX3300 switch

2 weeks ago

Hi 

 

Thank You for all responses.

Yes it seems so that on EX 3000 802.1x on trunk port is not supported at this moment, I have also digged through docs and it seems so that one dynamic vlan is supported.

 

I generally understand the idea of changing vlans on Aruba itself with 802.1x and Radius VSA but don't understand how do You want to ommit problem with setting vlans and trunk on switch port where AP is connected ? Even when I use only one SSID and dynamically change vlans on AP, stiil have communication for this vlans on switch port ? What is your idea ? 

For me the solution could be to tunnel traffic from AP to other device (we have Jun SRX here) with GRE tunnel but is is a little bit complicated.

 

reagrds

 

Karol

 

Ethernet Switching

Re: How to setup tagged vlans with 802.1x authentication on Juniper EX3300 switch

[ Edited ]
2 weeks ago

Hi Karol,

Thank you for the kudos 😊. If you’re planning to protect the switch ports meant for APs, all you need is the “802.1X Authentication on Trunk Ports” section from https://www.juniper.net/documentation/en_US/junos/topics/topic-map/802-1x-authentication-switching-d...

You may need even need the dynamic VLANs if there’s no need to do this per user and if you’re good with the VLANs the user falls into from your SSID config. And if the IAP supports trunking (believe it does by default on Eth0, for other ports there’s wired-profile config needed), then just enable your switch ports for trunking all your (SSID) VLANs too. And from the switch you need routing/switching for these VLANs out similar to any wired traffic.  Please be aware of : https://community.arubanetworks.com/t5/Controllerless-Networks/creation-of-a-trunk-link-between-the-...

If there’s another requirement we’re missing here, please explain with the topology else please resolve the post I guess. LOL

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.

Ethernet Switching

Re: How to setup tagged vlans with 802.1x authentication on Juniper EX3300 switch

2 weeks ago

Hi Karol,

 

Just curious, what is your reason(s) that you would want 802.1x on a port connecting to AP?

Usually the APs are connected somewhere high and not easily accessible.

 

Thanks.

Ethernet Switching

Re: How to setup tagged vlans with 802.1x authentication on Juniper EX3300 switch

2 weeks ago

Hi 

 

Thanks 

yes, if it would be supported on EX 3300, yes it could be solution, but from earlier posts it's not.

On IAP side eth0 port is by default set as trunk so the one thing to configure is supplicant.

 

regards

 

Karol 

Ethernet Switching

Re: How to setup tagged vlans with 802.1x authentication on Juniper EX3300 switch

2 weeks ago

In some extent that's rihgt that drops/ports for APs are in a places less accesible, but ther are always accesible anyhow.

Second reason which is importat  for me to have all access switch port configured the same, and to control vlans and others settings from RADIUS (Aruba ClearPass).

 

Karol