Ask the Expert

  • 1.  802.1X supplicant feature (does Juniper EX2300 switch can be connected to another switch with 802.1X authentication enabled?)

    Posted 04-11-2021 20:01
    hi,

    Does Juniper EX2300 switches supports 802.1X supplicant feature? (It can be connected to another switch with 802.1X authentication enabled?)

    Kind regards,

    ------------------------------
    Michal Gurbski
    ------------------------------


  • 2.  RE: 802.1X supplicant feature (does Juniper EX2300 switch can be connected to another switch with 802.1X authentication enabled?)

    Posted 04-11-2021 20:05
    You can use the Juniper Feature explorer tool to verify which devices and Junos versions support particular feature.

    https://apps.juniper.net/feature-explorer/feature-info.html?fKey=985&fn=802.1X%20authentication%20(port-based,%20multiple%20supplicant)

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: 802.1X supplicant feature (does Juniper EX2300 switch can be connected to another switch with 802.1X authentication enabled?)

    Posted 04-12-2021 02:30
    Hi Steve,

    Thanks for your replay. The link You provided describe feature:

    802.1X authentication (port-based, multiple supplicant)

    This feature introduces port-based 802.1X authentication and support for multiple supplicant mode. 802.1X provides network edge security, protecting Ethernet LANs from unauthorized user access. 802.1X authentication works by using an authenticator port access entity (the switch) to block all traffic to and from a supplicant (end device) at the port until the supplicant's credentials are presented and matched on the authentication server (a RADIUS server). When authenticated, the switch stops blocking traffic and opens the port to the supplicant.

    In your example Juniper Switch works as  a authenticator port access entity not as a supplicant.

    The Question was regarding, 


    1) Does Juniper EX2300 switches supports 802.1X supplicant feature? (It can be connected to another switch with 802.1X authentication enabled?)
     
    a) Does Juniper EX2300 switch work  as a end-device and can authenitcate to antother switch with 802.1X authentication enabled?

    b)  Can configure a Juniper EX2300 switch to act as a supplicant to another switch by using the 802.1x supplicant feature?
    c) Can Juniper EX2300 provide his own supplicant's credentials and can it be presented to antother switch with 802.1X authentication enabled? How?



    Example number 1)
    You can find example ​on Cisco:

    802.1x Supplicant and Authenticator Switches with Network Edge Access Topology
    The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring closet (such as conference rooms). This allows any type of device to authenticate on the port.

    802.1x switch supplicant: You can configure a switch to act as a supplicant to another switch by using the 802.1x supplicant feature. This configuration is helpful in a scenario, where, for example, a switch is outside a wiring closet and is connected to an upstream switch through a trunk port. A switch configured with the 802.1x switch supplicant feature authenticates with the upstream switch for secure connectivity. Once the supplicant switch authenticates successfully the port mode changes from access to trunk in an authenticator switch. In a supplicant switch you must manually configure trunk when enabling CISP.


    https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-12/configuration_guide/sec/b_1612_sec_9200_cg/configuring_ieee_802_1x_port_based_authentication.html#ID995


    Example number 2)

     You can find example ​on HP


    Configuring switch ports to operate as supplicants for 802.1X connections to other switches
    A switch port can operate as a supplicant in a connection to a port on another 802.1X-aware switch to provide security on links between 802.1X-aware switches. (A port can operate as both an authenticator and a supplicant.)

    https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch13s08.html#:%7E:text=A%20switch%20port%20can%20operate,an%20authenticator%20and%20a%20supplicant

    Kind regards,

    ------------------------------
    Michal Gurbski
    ------------------------------


  • 4.  RE: 802.1X supplicant feature (does Juniper EX2300 switch can be connected to another switch with 802.1X authentication enabled?)

    Posted 04-12-2021 02:31
    Edited by Michal Gurbski 04-12-2021 04:17
    Please help!


  • 5.  RE: 802.1X supplicant feature (does Juniper EX2300 switch can be connected to another switch with 802.1X authentication enabled?)

    Posted 04-12-2021 05:37
    Edited by Michal Gurbski 04-12-2021 06:30


  • 6.  RE: 802.1X supplicant feature (does Juniper EX2300 switch can be connected to another switch with 802.1X authentication enabled?)

    Posted 04-20-2021 03:15
    Any updates?

    ------------------------------
    Michal Gurbski
    ------------------------------



  • 7.  RE: 802.1X supplicant feature (does Juniper EX2300 switch can be connected to another switch with 802.1X authentication enabled?)

    Posted 04-26-2021 06:41
    Hi

    AFAIK this is not supported. You can only configure a Juniper switch/port to be a dot1x authenticator, not a supplicant.

    The closest you can get to this feature I guess is to configure Single Supplicant Mode on your switch, when the first client behind the Juniper switch is authenticated the port is open for all other clients.

    Also, I'm not sure if it's enough to disable dot1x all together or if the EAPOL is still consumed by the Juniper switch, in that case you have to enable L2PT to forward traffic to your switch:
    Layer 2 Protocol Tunneling | Ethernet Switching User Guide | Juniper Networks TechLibrary

    What's the use case to authenticate an entire switch instead of every clients behind it? Seems unsecure.


    ------------------------------
    ROGER WIKLUND
    ------------------------------