Switching

Dear Juniper Experts, 

I am using Juniper EX2300 running 18.3R3 and Aruba Clearpass 6.7. I am trying to redirect users who are successfully authenticating through dot1x to a url which will prompt users to download the onguard agent. In summary, can juniper switches do CWA after successful dot1x authentication? Please note that url will be sent via radius server and not configured locally.

Hi owais101, 

Greetings, 

Yes, I believe this can be achieved on the Juniper Device. 

You might want to refer Configuring Central Web Authentication and then use the knob redirect-url .

Details of usage is specified here: https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/nce160-example-aruba-guest-access.html

Hope this helps. 

Please mark "Accept as solution" if this answers your query. 

Kudos are appreciated too! 

Regards, 

Sharat Ainapur

Dear, 

I am not sure if you have gone through my question properly, but i asked redirect url from AAA server once dot1x is successfully authenticated.

I have already gone through the links, and its not helping.

Hi owais101,

Just wondering if the below discussion could help you :

https://forums.juniper.net/t5/Ethernet-Switching/CWA-in-EX-switches/td-p/312990

Hope this helps 🙂

Please mark "Accepted Solution" if this works for you.

Kudos are always appreciated!

Hi, Yes this is my exact requirement but as you can see, it was not answered back then also. 

I have done the similar configuration on junos, but no progress. 

Hi owais101,

Did you get a chance to test this posted by Partha on the other thread:

This should work

Example Config.

protocols {
    dot1x {
       authenticator {
            authentication-profile-name hss-auth_prof;
            interface {
                ge-0/0/45.0 {
                    supplicant multiple;
                    quiet-period 3;
                    transmit-period 3;
             mac-radius;
                    supplicant-timeout 10;
                }
                ge-0/0/46.0 {
                    supplicant multiple;
                    quiet-period 3;
                    transmit-period 3;
                    mac-radius;
                    supplicant-timeout 10;
                }
            }
        }
    }
    
ccess {
    radius-server {
        10.2.101.117 {
            port 1812;
            dynamic-request-port 3799;
            source-address x.x.x.x;
        }
    }
    profile hss-auth_prof {
        authentication-order radius;
        radius {
            authentication-server x.x.x.x;
            accounting-server x.x.x.x;
            options {
                nas-identifier x.x.x.x;
            }
        }
        radius-server {
            x.x.x.x {
             dynamic-request-port 3799;
            }
        }
    }
}

    services {
        ssh {
            root-login allow;
            protocol-version v2;
        }
        web-management {
            http;
            https {
                system-generated-certificate;
            }
    }
    }

Hope this helps 🙂

Hi, 

Yes except for this part 

mac-radius;
                    supplicant-timeout 10; (this option doesnt appear in my junos version)

Hi owais101,

Can you run the below:

 show dot1x interface ge-0/0/8.0 detail

This will display the default timeout value if you are unable to configure: (marked in green below)

ge-0/0/8.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Single
  Number of retries: 3
  Quiet period: 60 seconds
  Transmit period: 30 seconds
  Mac Radius: Disabled
  Mac Radius Restrict: Disabled
  Reauthentication: Enabled
  Configured Reauthentication interval: 3600 seconds
  Supplicant timeout: 30 seconds
  Server timeout: 30 seconds
  Maximum EAPOL requests: 2
  Guest VLAN member: <not configured>

You may choose to ignore that statement.

For configuring timeouts, can you check the below link:

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/access-control-authentication-for-switching-device.html#id-controlling-authentication-session-timeouts-cli-procedure

Hope this helps 🙂

Hi, 

As i pointed out earlier, its clearly written on this link - https://www.juniper.net/documentation/en_US/junos/topics/topic-map/central-web-authentication.html

"Central Web authentication is invoked after a host has failed MAC RADIUS authentication"

So how will a supplicant timeout will help in this case?

Hi owais101, 

As I pointed out in my previous reply, you may choose to ignore configuring that statement. If the rest of the config is helping you achieve your goal, the supplicant timeout should not matter 🙂

The reason why I asked you to check the interface output details was to check the default value, just for your reference.

Hope this helps 🙂

Yes but its not working in my case. Any ideas?

Found answers:

1. Juniper only support “MAC RADIUS with CWA”, and not “802.1X with CWA”.

2. redirect-url in authenticator stanza is only required if Radius is not sending us the redirect url using Juniper-CWA-Redirect="http://11.1.1.3".  If Juniper-CWA-Redirect is send from radius then this knob it is not required.

Hope this helps.