Pushing RADIUS attributes to EX/SRX devices
There is a list of RADIUS attributes that can be pushed from the server to an EX or SRX which will override the configuration from the NAS.
You can find the entire list of attributes that EX or SRX can work with here:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB11078&smlogin=true
Let’s demonstrate how an attribute pushed from the server will take precedence before what is configured on the EX.
I have this configuration on EX:
{master:0}[edit] root@EX4550# show protocols dot1x authenticator { authentication-profile-name RADIUS; interface { ge-0/0/11.0 { mac-radius { restrict; } } } } {master:0}[edit] root@EX4550# show interfaces ge-0/0/11 unit 0 { family ethernet-switching; } {master:0}[edit] root@EX4550#
So I’m doing MAC authentication. The MAC that will be authenticated is 80:71:1f:cf:fc:8e. As you can see there is no alteration of the default timers.
One of these timers is reauthentication and the default value is 3600 seconds. This is called Session-Timeout attribute.
What I want to do is to change the value to 1000 seconds, but I want to push this change from the RADIUS server.
The RADIUS server will be FreeRadius.
The server is configured to accept RADIUS packet from the EX and the MAC address that will be learned on ge-0/0/11 is in the users file from the FreeRadius.
This is how the entry looks like:
80711fcffc8e Auth-Type := "EAP", Cleartext-Password := "80711fcffc8e" Session-timeout=1000, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "v100"
This is the Access-Accept sent by the RADIUS:
Sending Access-Accept of id 2 to 192.168.158.163 port 53429 Session-Timeout = 1000 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "v100" EAP-Message = 0x03010004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "80711fcffc8e"
As you can see the authentication was successful and the reauthentication timer configured on the server was applied:
{master:0}[edit] root@EX4550# run show dot1x interface detail ge-0/0/11.0 Role: Authenticator Administrative state: Auto Supplicant mode: Single Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Enabled Mac Radius Restrict: Enabled Reauthentication: Enabled Configured Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: <not configured> Number of connected supplicants: 1 Supplicant: 80711fcffc8e, 80:71:1F:CF:FC:8E Operational state: Authenticated Backend Authentication state: Idle Authentcation method: Mac Radius Authenticated VLAN: v100 Session Reauth interval: 1000 seconds Reauthentication due in 725 seconds {master:0}[edit] root@EX4550# run show ethernet-switching table interface ge-0/0/11 Ethernet-switching table: 1 unicast entries VLAN MAC address Type Age Interfaces v100 * Flood - All-members v100 80:71:1f:cf:fc:8e Learn 0 ge-0/0/11.0 {master:0}[edit] root@EX4550#
There are other attributes that you can push from the RADIUS server such as a firewall filter.
As you can see, the Juniper devices are accepting the attributes sent by the RADIUS server.
There is a difference between Cisco and Juniper devices with regards to this behavior.
On Cisco devices you would need to configure the devices to trust the attributes sent by the server. And this is what I mean.
As an analogy for our example, to configure a Cisco device to trust the reauthentication attribute sent by the server, you would need to configure this:
(config-if)#authentication timer reauthenticate server
Junos allows a greater flexibility with less configuration overhead.
Paris ARAU
Latest posts by Paris ARAU (see all)
- Junos Fusion – Part IV – Satellite policies and uplink failure detection - 30 July 2018
- Junos Fusion – Part III – Satellite commands and traffic forwarding - 16 July 2018
- Junos Fusion – Part II – Configuration, Administration and Operation - 16 July 2018
- Junos Fusion – Part I – Overview, Components, Ports and Software - 11 July 2018
- Vagrant – Part IV – Network topology using Juniper and Cumulus - 26 April 2018
Comments
So empty here ... leave a comment!