Pushing RADIUS attributes to EX/SRX devices

There is a list of RADIUS attributes that can be pushed from the server to an EX or SRX which will override the configuration from the NAS.

You can find the entire list of attributes that EX or SRX can work with here:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11078&smlogin=true

Let’s demonstrate how an attribute pushed from the server will take precedence before what is configured on the EX.

I have this configuration on EX:

{master:0}[edit]
root@EX4550# show protocols dot1x
authenticator {
    authentication-profile-name RADIUS;
    interface {
        ge-0/0/11.0 {
            mac-radius {
                restrict;
            }
        }
    }
}

{master:0}[edit]
root@EX4550# show interfaces ge-0/0/11
unit 0 {
    family ethernet-switching;
}

{master:0}[edit]
root@EX4550#

So I’m doing MAC authentication. The MAC that will be authenticated is 80:71:1f:cf:fc:8e. As you can see there is no alteration of the default timers.

One of these timers is reauthentication and the default value is 3600 seconds. This is called Session-Timeout attribute.

What I want to do is to change the value to 1000 seconds, but I want to push this change from the RADIUS server.

The RADIUS server will be FreeRadius.

The server is configured to accept RADIUS packet from the EX and the MAC address that will be learned on ge-0/0/11 is in the users file from the FreeRadius.

This is how the entry looks like:

80711fcffc8e Auth-Type := "EAP", Cleartext-Password := "80711fcffc8e"
                Session-timeout=1000,
                Tunnel-Type = VLAN,
                Tunnel-Medium-Type = IEEE-802,
                Tunnel-Private-Group-Id = "v100"

This is the Access-Accept sent by the RADIUS:

Sending Access-Accept of id 2 to 192.168.158.163 port 53429
    Session-Timeout = 1000
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Private-Group-Id:0 = "v100"
    EAP-Message = 0x03010004
    Message-Authenticator = 0x00000000000000000000000000000000
    User-Name = "80711fcffc8e"

As you can see the authentication was successful and the reauthentication timer configured on the server was applied:

{master:0}[edit]
root@EX4550# run show dot1x interface detail
ge-0/0/11.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Single
  Number of retries: 3
  Quiet period: 60 seconds
  Transmit period: 30 seconds
  Mac Radius: Enabled
  Mac Radius Restrict: Enabled
  Reauthentication: Enabled
  Configured Reauthentication interval: 3600 seconds
  Supplicant timeout: 30 seconds
  Server timeout: 30 seconds
  Maximum EAPOL requests: 2
  Guest VLAN member: <not configured>
  Number of connected supplicants: 1
    Supplicant: 80711fcffc8e, 80:71:1F:CF:FC:8E
      Operational state: Authenticated
      Backend Authentication state: Idle
      Authentcation method: Mac Radius
      Authenticated VLAN: v100
      Session Reauth interval: 1000 seconds
      Reauthentication due in 725 seconds

{master:0}[edit]
root@EX4550# run show ethernet-switching table interface ge-0/0/11
Ethernet-switching table: 1 unicast entries
  VLAN              MAC address       Type         Age Interfaces
  v100              *                 Flood          - All-members
  v100              80:71:1f:cf:fc:8e Learn          0 ge-0/0/11.0

{master:0}[edit]
root@EX4550#

There are other attributes that you can push from the RADIUS server such as a firewall filter.

As you can see, the Juniper devices are accepting the attributes sent by the RADIUS server.

There is a difference between Cisco and Juniper devices with regards to this behavior.

On Cisco devices you would need to configure the devices to trust the attributes sent by the server. And this is what I mean.

As an analogy for our example, to configure a Cisco device to trust the reauthentication attribute sent by the server, you would need to configure this:

(config-if)#authentication timer reauthenticate server

Junos allows a greater flexibility with less configuration overhead.

The following two tabs change content below.

• Bio
• Latest Posts

Paris ARAU

Paris ARAU is a networking professional with strong background on routing and switching technologies. He is a holder of CCIE R&S and dual JNCIE(SP and ENT). The day to day work allows him to dive deeply in networking technologies. Part of the continuously training, he is focusing on Software Defined Network and cloud computing.

Latest posts by Paris ARAU (see all)

• Junos Fusion – Part IV – Satellite policies and uplink failure detection - 30 July 2018
• Junos Fusion – Part III – Satellite commands and traffic forwarding - 16 July 2018
• Junos Fusion – Part II – Configuration, Administration and Operation - 16 July 2018
• Junos Fusion – Part I – Overview, Components, Ports and Software - 11 July 2018
• Vagrant – Part IV – Network topology using Juniper and Cumulus - 26 April 2018