Switching

Expand all | Collapse all

Juniper CWA (url redirect) after successful dot1x authentication

Jump to Best Answer
  • 1.  Juniper CWA (url redirect) after successful dot1x authentication

    Posted 06-07-2020 22:22

    Dear Juniper Experts, 

     

    I am using Juniper EX2300 running 18.3R3 and Aruba Clearpass 6.7. I am trying to redirect users who are successfully authenticating through dot1x to a url which will prompt users to download the onguard agent. In summary, can juniper switches do CWA after successful dot1x authentication? Please note that url will be sent via radius server and not configured locally.



  • 2.  RE: Juniper CWA (url redirect) after successful dot1x authentication

    Posted 06-07-2020 22:38

    Hi owais101, 

     

    Greetings, 

     

    Yes, I believe this can be achieved on the Juniper Device. 

    You might want to refer Configuring Central Web Authentication and then use the knob redirect-url .

    Details of usage is specified here: https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/nce160-example-aruba-guest-access.html

     

    Hope this helps. Smiley Happy

     

    Please mark "Accept as solution" if this answers your query. 

     

    Kudos are appreciated too! 

     

    Regards, 

    Sharat Ainapur



  • 3.  RE: Juniper CWA (url redirect) after successful dot1x authentication

    Posted 06-07-2020 22:50

    Dear, 

    I am not sure if you have gone through my question properly, but i asked redirect url from AAA server once dot1x is successfully authenticated.

     

    I have already gone through the links, and its not helping.



  • 4.  RE: Juniper CWA (url redirect) after successful dot1x authentication

    Posted 06-07-2020 22:58

    Hi owais101,

     

    Just wondering if the below discussion could help you :

    https://forums.juniper.net/t5/Ethernet-Switching/CWA-in-EX-switches/td-p/312990

     

    Hope this helps 🙂

     

    Please mark "Accepted Solution" if this works for you.

    Kudos are always appreciated!

     



  • 5.  RE: Juniper CWA (url redirect) after successful dot1x authentication

    Posted 06-07-2020 23:13

    Hi, Yes this is my exact requirement but as you can see, it was not answered back then also. 

     

    I have done the similar configuration on junos, but no progress. 



  • 6.  RE: Juniper CWA (url redirect) after successful dot1x authentication

    Posted 06-07-2020 23:32

    Hi owais101,

     

    Did you get a chance to test this posted by Partha on the other thread:

     

    This should work

     

    Example Config.

     

    protocols {
        dot1x {
           authenticator {
                authentication-profile-name hss-auth_prof;
                interface {
                    ge-0/0/45.0 {
                        supplicant multiple;
                        quiet-period 3;
                        transmit-period 3;
                 mac-radius;
                        supplicant-timeout 10;
                    }
                    ge-0/0/46.0 {
                        supplicant multiple;
                        quiet-period 3;
                        transmit-period 3;
                        mac-radius;
                        supplicant-timeout 10;
                    }
                }
            }
        }
        
    ccess {
        radius-server {
            10.2.101.117 {
                port 1812;
                dynamic-request-port 3799;
                source-address x.x.x.x;
            }
        }
        profile hss-auth_prof {
            authentication-order radius;
            radius {
                authentication-server x.x.x.x;
                accounting-server x.x.x.x;
                options {
                    nas-identifier x.x.x.x;
                }
            }
            radius-server {
                x.x.x.x {
                 dynamic-request-port 3799;
                }
            }
        }
    }

        services {
            ssh {
                root-login allow;
                protocol-version v2;
            }
            web-management {
                http;
                https {
                    system-generated-certificate;
                }
        }
        }

     

    Hope this helps 🙂



  • 7.  RE: Juniper CWA (url redirect) after successful dot1x authentication

    Posted 06-07-2020 23:40

    Hi, 

     

    Yes except for this part 

    mac-radius;
                        supplicant-timeout 10; (this option doesnt appear in my junos version)

     

     



  • 8.  RE: Juniper CWA (url redirect) after successful dot1x authentication

    Posted 06-07-2020 23:51

    Hi owais101,

     

    Can you run the below:

     show dot1x interface ge-0/0/8.0 detail

     

    This will display the default timeout value if you are unable to configure: (marked in green below)

    ge-0/0/8.0
      Role: Authenticator
      Administrative state: Auto
      Supplicant mode: Single
      Number of retries: 3
      Quiet period: 60 seconds
      Transmit period: 30 seconds
      Mac Radius: Disabled
      Mac Radius Restrict: Disabled
      Reauthentication: Enabled
      Configured Reauthentication interval: 3600 seconds
      Supplicant timeout: 30 seconds
      Server timeout: 30 seconds
      Maximum EAPOL requests: 2
      Guest VLAN member: <not configured>

    You may choose to ignore that statement.

     

    For configuring timeouts, can you check the below link:

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/access-control-authentication-for-switching-device.html#id-controlling-authentication-session-timeouts-cli-procedure

     

    Hope this helps 🙂



  • 9.  RE: Juniper CWA (url redirect) after successful dot1x authentication

    Posted 06-07-2020 23:59

    Hi, 

     

    As i pointed out earlier, its clearly written on this link - https://www.juniper.net/documentation/en_US/junos/topics/topic-map/central-web-authentication.html

     

    "Central Web authentication is invoked after a host has failed MAC RADIUS authentication"

     

    So how will a supplicant timeout will help in this case?



  • 10.  RE: Juniper CWA (url redirect) after successful dot1x authentication

    Posted 06-08-2020 00:06

    Hi owais101, 

     

    As I pointed out in my previous reply, you may choose to ignore configuring that statement. If the rest of the config is helping you achieve your goal, the supplicant timeout should not matter 🙂

     

    The reason why I asked you to check the interface output details was to check the default value, just for your reference.

     

    Hope this helps 🙂



  • 11.  RE: Juniper CWA (url redirect) after successful dot1x authentication

    Posted 06-08-2020 00:42

    Yes but its not working in my case. Any ideas?



  • 12.  RE: Juniper CWA (url redirect) after successful dot1x authentication
    Best Answer

     
    Posted 06-09-2020 03:46

    Found answers:

     

    1. Juniper only support “MAC RADIUS with CWA”, and not “802.1X with CWA”.

    2. redirect-url in authenticator stanza is only required if Radius is not sending us the redirect url using Juniper-CWA-Redirect="http://11.1.1.3".  If Juniper-CWA-Redirect is send from radius then this knob it is not required.

     

    Hope this helps.