802.1x/dot1x Authentification on SRX configuration

Owned by Jean-luc KRIKER
Last updated: Mar 06, 2019
2 min read



Only a switch can do 802.1x. vSRX is NOT a switch and then does not have this.


1- config the router as a NAC ( point to radius server)
2- add the authentication policy and apply it to interface
3-


[edit access]
root@vSRX1# show
radius-server {
192.168.0.10 secret "$9$hxsrMXVb2aJDVwoGUjf51RESKMX7-"; ## SECRET-DATA
}
profile authprofile {
authentication-order radius;
radius {
authentication-server 192.168.0.10;
}
}


[edit protocols dot1x]
root@vSRX1# show
authenticator {
authentication-profile-name authprofile;
}


On vSRX:

root@vSRX1> test aaa authd-lite profile authprofile user testing password password
Authentication Grant
************User Attributes***********
User Name - testing
Framed IPv6 Prefix - ::/0
Framed IPv6 Pool - NULL
NDRA IPv6 Prefix - NULL
Login IPv6 Host - ::
Framed Interface Id - 0:0:0:0
Delegated IPv6 Prefix - ::/0
Delegated IPv6 Pool - NULL
NDRA IPv6 Pool - NULL
User Password - password
Nas Ip Address - 0.0.0.0
NAS Port - 0
Service Type- 0
Framed IP Address - 0.0.0.0
Framed IP Netmask - 0.0.0.0
Filter Id - NULL
Framed MTU - 0
Reply Message - NULL
Framed Route- not set
Framed MTU - 0
Class - not set
Virtual Router Name NULL
Primary DNS IP Address - 0.0.0.0
Secondary DNS IP Address - 0.0.0.0
Primary WINS IP Address - 0.0.0.0
Secondary WINS IP Address - 0.0.0.0
Ingress Statistics disabled
Egress Statistics disabled
Ingress Policy Name not set
Engress Policy Name not set
IGMP disabled
Redirect VR Name not set
Service Bundle not set
Framed Ip Route Tag not set
LI Action 0
LI Interception Identifier 0
LI Mediation Device IP Address 0.0.0.0
LI Mediation Device Port Number 0
Activate Service NULL
Deactivate Service NULL
Service Statistics 0
Ignore DF Bit - disabled
IGMP Access Group Name not set
IGMP Access Source Group_Name - not set
MLD Access Group Name not set
MLD Access Source Group Name not set
MLD Version - MLD Version not set
IGMP Version IGMP Version not set
IGMP Immediate Leave - disabled
MLD Immediate Leave - disabled
IPv6 Ingress Policy Name - not set
IPv6 Egress Policy Name - not set
Service Interim Acct Interval 0
Max Clients Per Interface 0
Session Timeout 599999940
NAS Port Type 0
Framed Pool NULL
Idle Timeout 0
Agent Remote Id - not set
Acct-start sent
Acct-start failed
Logging out subscriber
Terminate Id - not set
Test complete. Exiting