I am facing some problem related to 802.1x enforcement with Juniper EX switch.
- I made two roles, role1 and role2 and enabled the host checker policy only on role1 and maps the role1 to vlan-id 10 and role2 to vlan-id 20
ON EX Switch:
- I enabled the 802.1x authentication on port ge-0/0/2 with single supplicant.
Through OAC user is authenticated and on switch I was seeing ge-0/0/2 was in correct vlan 20 when doest not compliance with host checker policy. BUT when I disconnected the user from OAC and reconnect and make sure that user compliance with host checker policy, on switch I was seeing port ge-0/0/2 is authenticated but it is still in vlan 20 not in vlan 10.
Also I made the switch DHCP server for VLAN 10 and VLAN 20 and configured the SVI interfaces for both VLAN and DHCP pools for both VLAN. When user is in either vlan 10 or vlan 20 after authentication through OAC, user is not able to get IP from DHCP server and when I check on switch show vlan brief it is not showing any layer-3 IP on vlan 10 and 20.
Kindly help me out what I am missing.
Have you verified via Policy Trace on the IC that the user is only getting the role associated with VLAN 10?
If he is getting both roles, the IC will send the first VLAN assoicated with the user. So, if he has 20 listed first and then 10, we will send only VLAN 20 back. You can't send multiple VLAN values for a user. This is a common misconfig on the IC that people can run into.
If you are only getting the one role for VLAN 10, then I suggest you open a JTAC ticket with the EX team and have them help you debug the switch.
Thanks for help. BUT I have enabled host checker policy on one role and there is no host checker policy on other role. So how it is possible users get two roles? Any ways I will troubleshoot on IC via poilcy tracing.
Thanks again for help