on switch:



set system authentication-order radius

set system radius-server <IC IP> secret <shared secret>

set system login user remote class super-user (configure whatever class that is required)



Configure following on IC:



configure an auth protocol set on IC and select PAP/CHAP

configure AD auth server in IC

configure a realm and mske it use above created AD Auth server for authentication and create role mapping rules

configure a sign-in policy and attach the realm and auth protocol set to it

create location group and attach it to above created sign-in policy

create EX switch as radius client and attach to above created location group

create radius return attribute policy and select the attribute ïJuniper-Local-User-NameÍ and give its value as ïremoteÍ(or what ever you configured on the ex) and apply the policy to the roles to which you are mapping your users.

Manoj and everybody on the UAC team,

Is the above subjected scenario is possible using IC4500 ? our management wants to see if we can use IC4500 for identity verification.

1. Desktop/Laptop would use computer account name from ( MS AD ).

If verification is confirmed, then put the computer in Trusted VLAN to access all internal resources.

If authentication fails, Desktop/Laptop need to be dumped in a guest VLAN.

Please kindly let me know if this could be done, if so. Is there a KB or a flow diagram of how this works?

Any help would be highly appreciated.

Thanks & Regards

this will work on any of the IC hardware.

you can use machine authentication feature of OAC to get this to work.

please read admin guide of OAC for details on how to do machine auth and read admin guide for details on how to configure IC for 802.1x

if you got any questions about the procedures in docs, please mention here.