cancel
Showing results for 
Search instead for 
Did you mean: 

Read KB:12722 :> >>> " have some doubts / questions " ????? experts plz help !

Highlighted
Occasional Contributor

Read KB:12722 :> >>> " have some doubts / questions " ????? experts plz help !

I have a LAN comprised of 10 vlans , from vlan 100 to vlan 110 .

my full lan network is on cisco layer 2 switches trunked to 2 cisco 6500 core switches.

i have successfully installed in cluster mode 2 IC 4500 boxes and from user vlans i can ping them and vice versa .

My scenario is that i want to make sure that all users (they are getting ip from dhcp by default) , must do 802.1.x authentication on ports and only upon success are permitted to go to internet .

My LAN is not very big or complex. !

Also i have some below queries :

1. The kb uses odesey client, can I use junos pulse or a clientless setup for windows users. Most of them are using windows 7 and windows xp ?
2. I have ten vlans working in my bldg. From Vlan 100 to Vlan 110 and I want Vlan 999 to be my quarantine or authfail Vlan. Would it work fine if I have cisco switches at users and my ic is licensed and located in another Vlan connected thru internal port only?
3. Would this dot1x solution of kb mentioned in thread would let ad integration and also run jumps pulse client as single sign on automatically ?

A juniper enthusiast !!!!

awaiting reply...

Kamran.

Man Indifferent

4 REPLIES 4
Highlighted
Regular Contributor

Re: Read KB:12722 :> >>> " have some doubts / questions " ????? experts plz

Hi Kamran,

Yes you can do dot1x with Junos Pulse installed on Windows 7 and xp machines.

Perhaps Junos pulse does not support all flavors of EAP methods, you can only do EAP-TTLS.

You can have users connected to one vlan and IC on another vlan.

As long as the packet reaches IC (route exists), there should'nt be any problem.

From your query i understnad that you are trying to dot1x. Agentless comes into picture for the case where user have ip address and connectivity to IC.

HTH!

Regards,

Raveen

Highlighted
Occasional Contributor

Re: Read KB:12722 :> >>> " have some doubts / questions " ????? experts plz

I get you now. ...so are my following conclusions correct, please endorse with reply to them !!!!

1> 802.1x can be done with junos pulse client with no issues as long as i use eap-ttls !

2> 802.1x will need radius client configuration on switches and radius to configure on IC 4500 cluster IP !

3> For 802.1x i can put full access to all real vlans (access vlans) and create only 1 vlan for quaratine/remediation !

4> i have a single site setup with cisco switches, and i only want to ensure that users should not be allowed to use internet if they are not authenticated on 802.1x ports with their proper USER CREDENTIALS ! "Well, is end-point security setting mandatory, or only authenticatino with 802.1x can work as well "

5> I HAVE no IP Phones or PoE devices, but to bypass 802.1x can i excempt the PRINTERS on ports , or simply not configure those ports with 802.1.x what is ur advice ?

waiting anxiously for reply to my queries.

truly,

Kamran.

Highlighted
Regular Contributor

Re: Read KB:12722 :> >>> " have some doubts / questions " ????? experts plz

Hi Kamran,

Your understnading is correct!

And for printers, you could do MAC ( MAC auth bypass) or simply not configure dot1x on switchport as you know.

Regards,

Raveen

Highlighted
Regular Contributor

Re: Read KB:12722 :> >>> " have some doubts / questions " ????? experts plz

It is MAB typo' in my earlier response.

And to answer question no '4' .. typically endpoints health check is done apart from USER credentials.

PErhaps it is upto you to leverage the security levels based on your designs.