Once the VLAN is assigned to the switchport(EAP-Success from IC), Pulse installed machine will have IP-address asssigned.
And assigned IP-Address must be able to reach IC for L3 Enforcement.
I try to explain my query further... I have two Vlans 10 and 20. End point get the ip 192.168.10.11/24 with vlan 10 and ip 192.168.20.11/24 with vlan 20. Both vlans are also configure on IC and on IC vlan 10 ip is 192.168.10.200 and vlan 20 ip is 192.168.20.200. When client connect with vlan 10 my pulse client show a connection name "Local Area Connection" with IP 192.168.10.200 and with IC change the vlan dynamically the pulse client show the "Local Area Connection" with IP 192.168.20.200. As vlan change pulse connection is also automatically change which is understandable.
Now as I moce IC on layer-3 means there is a layer three device between the IC I am not able to connect IC with pulse client? Can I configure manually a connection for 802.1x on pulse client
Pulse-Client (Supplicant) ----> EX3200 (Authenticator) --------> L3 Router/Firewall -----> IC/Radius
The links bw EX3200, Router and IC are layer-3.
In the Network Access -> "Radius Return Attribute Policies" you can specify the Interface which endpoints on the configured VLANs will use to connect to the Infranet Controller once they will be assigned to a role. You are using probably the default setting which is "Automatic (use configured VLANs)". You can change it to "Internal" or "External" IC interface.
configure dot1x to use radius group, then configure IC as radius server on switch.
Configure switch as a radius client on IC.
Now you would be able to forward the authentication request to IC on Layer3.
Configure radius accounting to send status start-stop to IC from switch, so IC knows when users goes off
Insted of pushing VLANS from IC, configure Guest and Productions locally on switch and configure events for these
For Qurantine users you can push the VLAN.
Fail (auth fail)
server dead (IC not accessible from switch)
Using cisco terms, I am sure you can fid equivalents commands on Juniper,
any more questions .. skype me
Actually i am bit confuse with pulse client software behavior. With L3 enforcement we create the connection on pulse manually or download it from IC. But with 802.1x is it necessary to enable 802.1x in TCP/IP settings? Can we control the connections manually? Can we disable 802.1x in windows TCP/IP connection settings and then use 802.1x? We use pulse as a supplicant but what is windows supplicant?
Junos pulse is the client/supplicant for windows , you dont need to configure dot1x on windows, create a profile for Odyessey or JunOs pulse client, and install it on PC manually.
Ideal setup would be to have a domain environmnet, and then push the client on domain on end stations, then you can integrate your IC with AD, and use user credentials to authenticate from the supplicant installed on windows machine,