Switching

 View Only
last person joined: 22 hours ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  Why is 802.1X on trunk ports not supported?

    Posted 03-21-2016 02:10

    So a bunch of security critical VLANs terminate at our WLAN access points (the APs themselves are 802.1X enabled in regard to wireless clients). Hence, all an attacker needs to do is unplug an AP, plug in a notebook and tag himself to the VLAN of his liking. To mitigate this, I set the hold timer to an arbitrarily high value, like 15 minutes. However, this is security through obscurity. I'd rather have those ports 802.1X enabled.

     

    However, when I try to enable 802.1X on a trunk port, I get

     

    "Cannot configure dot1x on this interface since the port-mode is defined as trunk".

     

    Why is that? What is the reason why this is not supported? 

     

    Works without a problem on Cisco boxes, just tried it in the lab.

     

    On a side note, the documentation nowhere mentions this.

     

    http://www.juniper.net/documentation/en_US/junos12.3/topics/task/configuration/802-1x-interface-settings-ex-series-cli.html

     

    We are running 12.3R11.2.

     



  • 2.  RE: Why is 802.1X on trunk ports not supported?

     
    Posted 03-21-2016 07:18

    Question: Are you saying that on Cisco switch that if you enable 802.1x on your trunk interface and then attach the AP to it (with the AP also supporting 802.1x) that everything then works properly?



  • 3.  RE: Why is 802.1X on trunk ports not supported?

    Posted 03-21-2016 12:06

    Yes, that's exactly what I'm saying. The AP is connected to a switch, with the uplink being configured as a trunk port. The VLANs which terminate at the AP are statically assigned on the uplink port of the AP, no dynamic assignments taking place. The AP acts as a 802.1X supplicant from the switch's point of view. The wireless clients in turn are supplicants to the AP. Once the AP is successfully authenticated the uplink port switches from access to trunk. 

     

    But it's in the docs as well, see

     

    http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-usr-8021x-15-e-book/config-ieee-802x-pba.html

     

    IEEE 802.1X port-based authentication is configured on a device to prevent unauthorized devices (supplicants) from gaining access to the network. The device can combine the function of a router, switch, and access point, depending on the fixed configuration or installed modules. The switch functions are provided by either built-in switch ports or a plug-in module with switch ports. This feature supports both access ports and trunk ports.

     

     



  • 4.  RE: Why is 802.1X on trunk ports not supported?

    Posted 03-21-2016 12:09
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dot1x.html

     

    Release 12.2(33)SXJ and later releases support the Network Edge Access Topology (NEAT) feature. NEAT extends identity to areas outside the wiring closet (such as conference rooms). This allows any type of device to authenticate on the port.

    •802.1x switch supplicant: You can configure a switch to act as a supplicant to another switch by using the 802.1x supplicant feature. This configuration is helpful in a scenario, where, for example, a switch is outside a wiring closet and is connected to an upstream switch through a trunk port. A switch configured with the 802.1x switch supplicant feature authenticates with the upstream switch for secure connectivity.

    Once the supplicant switch authenticates successfully the port mode changes from access to trunk.

    •If the access VLAN is configured on the authenticator switch, it becomes the native VLAN for the trunk port after successful authentication.

     



  • 5.  RE: Why is 802.1X on trunk ports not supported?

     
    Posted 12-16-2016 06:09

    This is an old thread but I think I need to reply on this one. For Non-ELS swtiches (ex2200, ex3300) Jnpr supports port-mode tagged-access, which is available start using 15.1R3.

     

    /A.



  • 6.  RE: Why is 802.1X on trunk ports not supported?

    Posted 08-23-2018 00:17

    Hello Jad,

     

    could you please share me the link which notifies that in 15.1R3 have implemented this support. 



  • 7.  RE: Why is 802.1X on trunk ports not supported?

     
    Posted 08-27-2018 06:21

    From an old Forums thread (https://forums.juniper.net/t5/Junos/ex4200-port-mode-tagged-access/td-p/273964) the answer is that EX4500 supports VEPA (https://www.juniper.net/documentation/en_US/junos/topics/concept/bridging-edge-virtual-bridging-understanding.html), while EX4200 does not.

     

    What you want to do can not be done with EX4200.  Appears that only EX4500 or [now EOL] EX8200 had such support:

     

    https://apps.juniper.net/feature-explorer/feature-info.html?fKey=3809&fn=Edge%20virtual%20bridging%20(EVB)%20support%20with%20virtual%20Ethernet%20port%20aggregator%20(VEPA)