Radius fallback

Owned by Jean-luc KRIKER
Last updated: Oct 09, 2020
1 min read


RADIUS Server Is Unavailable to an EX Series Switch

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/802-1x-authentication-switching-devices.html#id-example-configuring-8021x-authentication-options-when-the-radius-server-is-unavailable



server fail fallback

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/radius-server-configuration-ex-series-cli.html#id-configuring-radius-server-fail-fallback-cli-procedure


  • Permit authentication, allowing traffic to flow from the end device through the interface as if the end device were successfully authenticated by the RADIUS server.

  • Deny authentication, preventing traffic from flowing from the end device through the interface. This is the default.

  • Move the end device to a specified VLAN if the switch receives a RADIUS access-reject message. The configured VLAN name overrides any attributes sent by the server. (The VLAN must already exist on the switch.)

  • Sustain authenticated end devices that already have LAN access and deny unauthenticated end devices. If the RADIUS servers time out during reauthentication, previously authenticated end devices are reauthenticated and new users are denied LAN access.



server fail fallback

set protocols dot1x authenticator interface <interface-name> server-fail permit

set protocols dot1x authenticator interface <interface-name> server-fail deny

set protocols dot1x authenticator interface <interface-name> server-fail <vlan-name>

set protocols dot1x authenticator interface <interface-name> server-fail use-cache



Reject fallback

set protocols dot1x authenticator interface <interface-name> server-reject-vlan <vlan-sf>

sustain 

permit

move