We are thinking of implementing Junipers UAC. We where told that in order to achieve full interoperability with our current Cisco fabric. That our existing legacy Cisco switching equipment needs to be updated to IOS 12.2.36 or better.
What functionality will not be available under a mixed Cisco environment?
I did one lab few weeks ago with Cisco (12.2.44 if I'm wrong) and Juniper switches (Junos 10).
The following has been tester successfully
- MAC authentication bypass,
- Machine Authentication, user authentication (both based on AD)
- Remediation Vlan + Endpoint Validation,
- Guest Vlan,
- Server Fail Vlan,
- MAB + 802.1x + Guest Vlan + Server Fail Vlan configured on one interface.
All the tests were successfull !
By the way, I had problem with juniper switches with the following features : guest vlan, server fail vlan.
For Cisco switches, I recommand using 12.2(50). Therer's a lot of new features about 802.1x.
UAC is very good solution.
Can you plz guide me the high level steps for configuring Guest Access VLAN for UAC solution?
Thanks for your help
Guest VLAN is not managed by IC or any 802.1X Radius server. It is managed by the switch when no 802.1X supplicant is detected on the switch port.
If no supplicant is negociating authentication with the switch after connection, three solutions are available :
- Swich port is closed (Default mode)
- Guest VLAN (VLAN ID configured in the switch configuration)
- Mac Address Authentication which send :
- Mac Address as Username
- Combination of different values (Mac Address, switch port number, ...) as password (depend of switch capability)
- EAP-MD5-Challenge as authentication Method
In IC configuration, Mac Address authentication use "Mac Address Realm" to authenticate known non-802.1X hosts (printers, IPphones, ...)
Hi thanks for clarification. But Guest VLAN on switch can access the other VLAN through intervlan routing how can we control it?
Thanks for this wonderful information. I am starting to work on this new project and its all cisco environment. Now the customer is not happy about the same problems you mentioned in your other post about 1 Gp bandwidth limit and vendor lock on the other approach. Anyways I have two questions, the customer have handheld scanner and finger print access control devices and they want to integrate all that with the Juniper UAC solution. Now with this they want to be able to dynamically add new devices ( Finger print scanner) and some other devices but they are not based on IP addresses, only mac addresses. "My Question": Can we define a mac range in our policy to enforce access control for above devices in Juniper,s UAC.
Also can you please send me a guide that could help me with this integration. Anything would help,
I am trying to setup small lab to learn Juniper UAC using IC4500 and Cisco 3560 switch. I am following UAC quick start guide for reference. I am having problem when i am configuring 802.1X authentication. The system is not getting assigned user vlan even after my pc is compliant. It always assigns guest vlan. Below are my configs for switch. Any help will be highly appreciated. The IOs version is 12.2(53)SE2
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
switchport mode access
authentication port-control auto
dot1x pae authenticator
It would be necessary to see more config than what you pasted. I don't even see guest vlan in your config.
What is your user vlan, what is your guest vlan?
If this is a lab, there should be no problem in sharing the full config
Do ip phones (with MAB) eat UAC licenses?