Model: EX3400 and EX2300-C
Firmware: 21.4R3-S7.6
We recently ran into a problem where the EAP-Message attribute is still being sent to our RADIUS servers even when "mac-radius" or "mac-radius restrict" is set. As far as we can tell this started sometime after we upgraded the firmware to the above version (from 21.4.R3-S4).
Has anyone else experienced this, or have any suggestions on how to get it to work as expected?
I opened a case with JTAC but they haven't figured out anything yet.
Example configuration #1:
# show protocols dot1x authenticator | display inheritance no-comments
authentication-profile-name rad-profile;
interface {
ge-0/0/0.0 {
authentication-order [ mac-radius dot1x ];
supplicant multiple;
mac-radius {
authentication-protocol {
eap-peap;
}
}
}
}
Example #2:
# show protocols dot1x authenticator | display inheritance no-comments
authentication-profile-name rad-profile;
interface {
ge-0/0/0.0 {
supplicant multiple;
mac-radius {
restrict;
authentication-protocol {
eap-peap;
}
}
}
}
access profile
> show configuration access profile rad-profile
accounting-order radius;
authentication-order radius;
radius {
authentication-server X.X.X.X;
accounting-server X.X.X.X;
}
accounting {
order radius;
accounting-stop-on-failure;
accounting-stop-on-access-deny;
coa-immediate-update;
update-interval 10;
wait-for-acct-on-ack;
send-acct-status-on-config-change;
ancp-speed-change-immediate-update;
}
Thanks in advance for any guidance.
------------------------------
djz
------------------------------