Switching

 View Only
last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
Back to discussions
Expand all | Collapse all

EX4400 with wired dot1x/EAP-TLS issues

  • 1.  EX4400 with wired dot1x/EAP-TLS issues

    Posted 17 days ago
    Edited by Jodi Meier 17 days ago

    Has anyone got wired dot1x/EAP-TLS in combination with the EX4400 working?

    In our setup we have a Microsoft NPS server running that authenticates clients based on client certificates (EAP-TLS). The clients are physically attached via an Juniper EX4400 switch. The strange part is that in the same environment we also have dot1x running on a Cisco switch (working) and a Juniper SRX (working). So based on this I am ruling out any client or server misconfigurations. There are also no firewall or other filters in between the EX4400 and the server.


    We did some packet captures on the client, and it looks like everything is well till the TLS Server Hello (encapsulated in EAP-TLS). Then the client tries to send its certificate/client TLS response. However, this packet is too big for a regular 1500 bytes MTU. Thus the client sends one fragmented packet. Then, from my understanding, this packet should be acknowledged via an empty EAP-TLS packet. However, this acknowledgement is never send. Thus nothing after the first fragmented packet is send and the authentication eventually fails. On the Cisco and Juniper SRX we can see the acknowledgement (and the rest of the packets). I cannot find any bugs related to this issue.

    The configuration I am using at the moment:

    Set access profile DOT1X_RADIUS authentication-order radius

    Set access profile DOT1X_RADIUS radius authentication-server ###RADIUS-SERVER-IP###

    Set access radius-server ###RADIUS-SERVER-IP### port 1812

    Set access radius-server ###RADIUS-SERVER-IP### accounting-port 1813

    Set access radius-server ###RADIUS-SERVER-IP### secret <###SECRET###

    Set access radius-server ###RADIUS-SERVER-IP### source-address ###SOURCE-IP###

    Set protocols dot1x authenticator authentication-profile-name DOT1X_RADIUS

    Set protocols dot1x authenticator interface ###INTERFACE###  authentication-order dot1x

    Set protocols dot1x authenticator interface ###INTERFACE### authentication-order mac-radius

    Set protocols dot1x authenticator interface ###INTERFACE### supplicant multiple

    Set protocols dot1x authenticator interface ###INTERFACE### reauthentication 3600

    Set protocols dot1x authenticator interface ###INTERFACE### guest-vlan ###CONTROLLED-VLAN-ID###

    Set protocols dot1x authenticator interface ###INTERFACE### server-reject-vlan ###CONTROLLED-VLAN-ID###

    Set protocols dot1x authenticator interface ###INTERFACE### server-fail vlan-name ###CONTROLLED-VLAN-ID###

    Some very related case: https://supportportal.juniper.net/s/article/Dot1x-not-working-in-some-of-the-VCs?language=en_US



    ------------------------------
    ERIK DEKKER
    ------------------------------