Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

802.1x with Windows 7, Windows Network Policy Server and EX-4200 switches

it_
Occasional Contributor
‎08-31-2011 03:24:AM
‎08-31-2011 03:24:AM

802.1x with Windows 7, Windows Network Policy Server and EX-4200 switches

I'm trying to achieve 802.1x authentication on Windows 7 clients. I want to achieve dynamic VLAN switching and perform the authentication with certificates.

I have the following configuration on my switches:

protocols {

dot1x {
authenticator {
authentication-profile-name prof1;
interface {
ge-2/0/19.0 {
supplicant single;
guest-vlan DMZ_vlan;
}
}
}
}

}

access {
radius-server {
193.63.211.21 secret "$9$LDMX7VgoJHkPWL-wsYGU0O1Ehr8LNwY4qmcyrlMWVwYgUifTzn6CQzt01hKv"; ## SECRET-DATA
}
profile prof1 {
authentication-order radius;
radius {
authentication-server 193.63.211.21;
}
}
}

However, authentication isn't working. If I look at the interface with a connected laptop, I see this:

ge-2/0/19.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Single
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Mac Radius: Disabled
Mac Radius Restrict: Disabled
Reauthentication: Enabled
Configured Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPOL requests: 2
Guest VLAN member: DMZ_vlan
Number of connected supplicants: 1
Supplicant: No User-philip, 5C:26:0A:1F:A6:F4
Operational state: Authenticated
Backend Authentication state: Idle
Authentcation method: GuestVlan
Authenticated VLAN: DMZ_vlan
Session Reauth interval: 3600 seconds
Reauthentication due in 3213 seconds

and if I log off, I see this:

ge-2/0/19.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Single
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Mac Radius: Disabled
Mac Radius Restrict: Disabled
Reauthentication: Enabled
Configured Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPOL requests: 2
Guest VLAN member: DMZ_vlan
Number of connected supplicants: 1
Supplicant: host/53PD0P1.win.dante.org.uk, 5C:26:0A:1F:A6:F4
Operational state: Authenticated
Backend Authentication state: Idle
Authentcation method: GuestVlan
Authenticated VLAN: DMZ_vlan
Session Reauth interval: 3600 seconds
Reauthentication due in 3503 seconds

The odd thing is that I am not seeing any traffic from the switch asking for authentication for either the computer or the user. As a result, the connection always ends up in the guest VLAN.

I thought that I had at least got user authentication with username & password working last week but that appears to have stopped, and I'm concerned that the introduction of virtual routers on the DMZ VLAN and the office VLANs might be preventing the authentication traffic from flowing.

Any comments or suggestions, please?





0 Kudos
2 REPLIES 2
it_
Occasional Contributor
‎08-31-2011 04:31:AM
‎08-31-2011 04:31:AM

Re: 802.1x with Windows 7, Windows Network Policy Server and EX-4200 switches

I should have added that the EX-4200 switches are running 11.1R2.3.

Regards

Philip

0 Kudos
it_
Occasional Contributor
‎09-01-2011 12:01:AM
‎09-01-2011 12:01:AM

Re: 802.1x with Windows 7, Windows Network Policy Server and EX-4200 switches

Looks like virtual routers are "breaking" dot1x. If I remove the virtual router configuration, dot1x starts working again. Put back the VR config and it stops again.

I've opened a separate thread on the Ethernet Switching forum now because they might know more about why VRs are breaking this.

http://forums.juniper.net/t5/Ethernet-Switching/EX4200-virtual-routers-seem-to-stop-dot1x-from-worki...

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.