Switching

Hi,  I am currently testing 802.1x authentication. I have done the setup on an EX2300C running Junos 15.1X53-D56.  Everything look to work as expected. Our radius server, freeradius,  return proper vlan information and then the port is move to the right vlan. However I am having an issues where once the user logged in, if his assigned vlan different than the default assiged one to the PC, the system doesn't renew is IP address. I guess that when vlan change the port should be automatically bounce in order to force client to renew their IP address.  Am I doing something wrong ?  Here the configuration I use... 

lpaulin@wlt4-testing-01# show protocols dot1x
traceoptions {
file dot1x size 10m files 2;
flag vlan;
flag state;
flag normal;
flag general;
flag eapol;
flag dot1x-ipc;
flag dot1x-event;
flag config-internal;
flag task;
flag timer;
flag parse;
}
authenticator {
authentication-profile-name stingray-users;
interface {
ge-0/0/10.0 {
supplicant multiple;
mac-radius {
flap-on-disconnect;
}
reauthentication 60;
guest-vlan 142;
}
}
}

lpaulin@wlt4-testing-01# show access
radius-server {
10.250.a.a {
secret "somethingSecret"; ## SECRET-DATA
source-address 10.250.c.c;
}
10.250.a.b {
secret "somethingSecret"; ## SECRET-DATA
source-address 10.250.c.c;
}
}
profile stingray-users {
authentication-order radius;
radius {
authentication-server [ 10.250.a.a 10.250.a.b ];
}
}

lpaulin@wlt4-testing-01# show interfaces ge-0/0/10
description SpareLaptop;
unit 0 {
family ethernet-switching {
interface-mode access;
storm-control default;
}
}

I am currently trying to do something similar.   I think you need a new feature to be supported in Junos called 'port-bounce'.  This is where the RADIUS server sends a COA (Change of Authorization) message to the switch that changes the VLAN and also bounces the port to force a new DHCP request.    

Apparently no config is required on the switch, but the feature was only implemented in 17.3 on an EX4300 (what I am using - not sure about your switch).  So you may want to look at Pathfinder.juniper.net to see if you need new Junos.  Here is some info:

https://apps.juniper.net/feature-explorer/feature-info.html?fKey=7896&fn=Port+bounce+with+CoA+requests+and+framed-IPv6-address+RADIUS+attribute+for+AAA

The other thing you need is for the Port-Bounce RADIUS VSA to be sent by the RADIUS server.   Our server does not have this in the juniper.dct file, so it is unable to send it.    Unfortunately I have also been unable to find a new juniper.dct dictionary anywhere.   

More info:  https://www.juniper.net/documentation/en_US/junos/topics/concept/802-1x-radius-initiated-changes.html#jd0e56

We use Pulse Policy Secure for this, and I was considering modifying the juniper.dct file to include the new VSA, but don't know what the attribute value should be.  If you find out, do let me know!

Good luck.

Andy

Hi

Junos 18.1R1 was released a couple of days ago and it supports EX2300/EX3400.

https://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/release-notes/18.1/junos-release-notes-18.1.pdf

Even though the CoA port bounce feature is there in 18.1R1 it's not officially tested for EX2300/EX3400 yet. With that said, I tried CoA session terminate and port bounce from Cisco ISE 2.3.0 with EX2300-C-12P running 18.1R1 and it works, so you can test it in your lab environment. 

Mar 28 09:09:43.633291 CoA-Request received for user (Not Present)
Mar 28 09:09:43.633317 CoA-Request received for acctg-sess-id (8O2.1x817c00230001c19e): Session: 0xe24000
Mar 28 09:09:43.633342 No VLAN attributes configured or Captive-Portal enabled
Mar 28 09:09:43.633378 pnac_process_coa_request_common_handler:2296 Port-Bounce request processed.
Mar 28 09:09:43.633420 Interface flag to be set:4002
Mar 28 09:09:43.633753 Interface flag set :c002
Mar 28 09:09:43.634503 panc_auth_process_port_bounce delaying iff_up

root@ex2300-r04-01> show interfaces ge-0/0/0

Last flapped   : 2018-03-28 09:09:50 UTC (00:00:55 ago) 

Ah - thanks - I came back to answer this having got it working, and found it has already been answered!

Not sure what RADIUS server you are using - we are using Pulse Policy Secure.   We are also using a Juniper EX4300 with Junos 17.3 - I think port-bounce was first introduced for this switch in 17.3.

The steps we took:

First, retrieve the Juniper.dct file from PPS under Endpoint Policy | Network Access | Radius Dictionary.  Edit it to include the following at the bottom:

ATTRIBUTE Juniper-AV-Pair                       Juniper-VSA(52, string)  r

1. Load it back into PPS using a custom name so you don't overwrite the original juniper.dct that came with the product.  I called mine Juniper-Custom:

When you click it, you can expand the attributes and see Juniper-AV-Pair in there:

Juniper-AV-Pair attribute in new dictionary

2. Add a new 'Vendor' that references this new dictionary you just created:

Adding a new radius vendor

3. Change the RADIUS client (the ethernet switch) in PPS so that it uses this new vendor:

4.  Under RADIUS Attributes, add the right return attribute and VLAN:

Setting up the 'port-bounce' RADIUS return attribute  

5. Once complete, the screen should look like this:

Completed return attribute

This seemed to work just fine.  We get the COA messages in our debug as per the previous posting, and the device moves VLANs.

Good luck,

Andrew

Just had a response from the Juniper documentation team to say that they've updated the documentation to show the new VSA value:

https://www.juniper.net/documentation/en_US/junos/topics/concept/802-1x-radius-initiated-changes.html#jd0e56