Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  EX3400 - 20.4R3 - Dot1x reauth for guests

    Posted 05-16-2022 07:40

    Hello,

    Users are returning to the office and everything works just fine except that i noticed an issue with dot1x for our EX3400 switches and guest users..

    Whenever guests are connected to our wired network they get denied and put on the guest VLAN, however it seems that the connection drops every 10 minute and they start connecting again and this continues on and on. 

    When on guest Wi-Fi the issues is not occuring but then again it's an separate guest SSID.

    I've looked trough my configuration and can't find the issue.. 

    Please see following example:

    show configuration protocols dot1x
    traceoptions {
    file dot1x-log size 5m;
    flag all;
    }
    authenticator {
    authentication-profile-name AccessProfile-60;
    interface {
    Klient {
    supplicant multiple;
    retries 4;
    quiet-period 3;
    transmit-period 30;
    reauthentication 3600;
    supplicant-timeout 30;
    server-timeout 30;
    maximum-requests 2;
    guest-vlan tele;
    server-fail permit;
    }
    }
    }
    


    And when viewing the interface:

    show dot1x interface ge-9/0/12 detail
    ge-9/0/12.0
      Role: Authenticator
      Administrative state: Auto
      Supplicant mode: Multiple
      Number of retries: 4
      Quiet period: 3 seconds
      Transmit period: 30 seconds
      Mac Radius: Disabled
      Mac Radius Restrict: Disabled
      Reauthentication: Enabled
      Reauthentication interval: 3600 seconds
      Supplicant timeout: 30 seconds
      Server timeout: 30 seconds
      Maximum EAPOL requests: 2
      Guest VLAN member: tele
      Number of connected supplicants: 1
        Supplicant: No User, 10:62:E5:A6:53:C9
          Operational state: Authenticated
          Backend Authentication state: Idle
          Authentication method: GuestVlan
          Authenticated VLAN: tele
          Session Reauth interval: 3600 seconds
          Reauthentication due in 0 seconds
          Eapol-Block: Not In Effect
    
    


    And some trace logs regarding the interface (20 minutes of logs capturing the specified interface and 2 periods of auth)

    RTSOCK Info ge-9/0/12.adr_family vpls devindex 774
    May 16 11:41:38.083282 handle_iff OP = 2 ifl:(ge-9/0/12.0) idx:(690)
    May 16 11:51:07.946739 EAPOL packet received on interface ge-9/0/12.0
    May 16 11:51:07.947102 Invoking state machine for frame received on interface ge-9/0/12
    May 16 11:51:07.948314 PnacAuthAsmMakeConnecting:1984 Deleting Dynamic filter dot1x_ge-9/0/12_DOT1X_dotmac_1062e5a653c9
    May 16 11:51:07.949821 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 0 Reauth Count 0
    May 16 11:51:07.950229 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:51:07.950411 Processing complete for frame received on interface ge-9/0/12
    May 16 11:51:07.950707 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:51:07.967214 EAPOL packet received on interface ge-9/0/12.0
    May 16 11:51:07.967621 Invoking state machine for frame received on interface ge-9/0/12
    May 16 11:51:07.969131 Queuing message to auth client to validate mac address 10:62:e5:a6:53:c9, user host/N00074.kelprojektas.intra on interface ge-9/0/12.0
    May 16 11:51:07.969307 Processing complete for frame received on interface ge-9/0/12
    May 16 11:51:08.085055 pnac_ifbd_delete: ifbd deleted sucessfully for name:ge-9/0/12.0 bd:4 vlan:103 flags=0x0000
    May 16 11:51:08.087328 IFF Message: IFD ge-9/0/12 info:IFL 0 devindex 774
    RTSOCK Info ge-9/0/12.adr_family vpls devindex 774
    May 16 11:51:08.087511 handle_iff OP = 2 ifl:(ge-9/0/12.0) idx:(690)
    May 16 11:51:08.311400 Invoking state machine for authentication response for mac 10:62:e5:a6:53:c9 on intf ge-9/0/12.0
    May 16 11:51:08.312343 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:51:08.314111 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 1 Reauth Count 0
    May 16 11:51:08.314461 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:51:08.315162 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:51:08.315378 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:51:08.350933 EAPOL packet received on interface ge-9/0/12.0
    May 16 11:51:08.351328 Invoking state machine for frame received on interface ge-9/0/12
    May 16 11:51:08.352846 Queuing message to auth client to validate mac address 10:62:e5:a6:53:c9, user host/N00074.kelprojektas.intra on interface ge-9/0/12.0
    May 16 11:51:08.353074 Processing complete for frame received on interface ge-9/0/12
    May 16 11:51:08.541308 Invoking state machine for authentication response for mac 10:62:e5:a6:53:c9 on intf ge-9/0/12.0
    May 16 11:51:08.542475 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:51:08.542975 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 2 Reauth Count 0
    May 16 11:51:08.543298 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:51:08.543956 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:51:08.544135 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:51:08.572556 EAPOL packet received on interface ge-9/0/12.0
    May 16 11:51:08.572923 Invoking state machine for frame received on interface ge-9/0/12
    May 16 11:51:08.574440 Queuing message to auth client to validate mac address 10:62:e5:a6:53:c9, user host/N00074.kelprojektas.intra on interface ge-9/0/12.0
    May 16 11:51:08.574684 Processing complete for frame received on interface ge-9/0/12
    May 16 11:51:08.749064 Invoking state machine for authentication response for mac 10:62:e5:a6:53:c9 on intf ge-9/0/12.0
    May 16 11:51:08.750669 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:51:08.751884 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:51:08.770925 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:14.729652 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:14.731016 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 0 Reauth Count 0
    May 16 11:51:14.731322 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:51:14.731853 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:51:19.914244 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:19.914440 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:24.738314 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:25.136050 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:27.633712 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:27.633962 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:30.295756 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:30.296036 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:35.146230 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:35.643134 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:41.118384 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:41.118591 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:44.732351 ASM TxWhenTimer CONN: If ge-9/0/12.0: TxReqId Count 1 Max Req 2
    May 16 11:51:44.732409 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 1 Reauth Count 0
    May 16 11:51:44.732788 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:51:44.733320 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:51:45.649877 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:46.144505 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:51.705861 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:51:51.706117 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:56.155286 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:51:58.028615 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:00.499727 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:00.499963 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:08.039836 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:08.395053 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:14.260259 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:14.260452 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:14.743463 ASM TxWhenTimer CONN: If ge-9/0/12.0: TxReqId Count 2 Max Req 2
    May 16 11:52:14.743514 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 2 Reauth Count 0
    May 16 11:52:14.743839 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 11:52:14.744365 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 11:52:18.399687 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:20.711392 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:25.739859 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:25.740106 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:30.640862 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:30.641069 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:30.712274 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:31.131978 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:36.311108 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:36.311332 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:41.135075 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:41.606638 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 11:52:44.751601 ASM TxWhenTimer CONN: If ge-9/0/12.0: TxReqId Count 3 Max Req 2
    May 16 11:52:44.751650 Captive portal is not enabled for interface:ge-9/0/12.0
    May 16 11:52:44.752659 pnac_get_filter_term:1206 Term: dot1x_ge-9/0/12_DOT1X_dotmac_1062e5a653c9 Filter op:0, Term op:0 Prev term name:
    May 16 11:52:44.753240 CP_DEBUG:install_cp_filters:409: term being added: dot1x_ge-9/0/12_DOT1X_dotmac_1062e5a653c9.
    May 16 11:52:44.754167 Adding and attaching filter:dot1x_ge-9/0/12 to interface:ge-9/0/12.
    May 16 11:52:44.754573 GUESTVLAN: Non-responsive host \x10b▒S▒ \x01▒*f on port ge-9/0/12.0moved to Guest VLAN tele
    May 16 11:52:44.783903 pnac_ifbd_create ifl ge-9/0/12.0 bd 4 vlan 103
    May 16 11:52:44.785515 pnac_ifbd_update_flags: ifbd sucess for name:ge-9/0/12.0 bd:4 vlan:103 flags=0x0000
    May 16 11:52:44.785771 pnac_pvlan_bd_lookup(PVLAN)  primary bd 4 for ifl ge-9/0/12.0 NOT Present
    May 16 11:52:44.893672 IFF Message: IFD ge-9/0/12 info:IFL 0 devindex 774
    RTSOCK Info ge-9/0/12.adr_family vpls devindex 774
    May 16 11:52:44.893873 handle_iff OP = 2 ifl:(ge-9/0/12.0) idx:(690)
    May 16 12:01:08.805404 EAPOL packet received on interface ge-9/0/12.0
    May 16 12:01:08.805876 Invoking state machine for frame received on interface ge-9/0/12
    May 16 12:01:08.807167 PnacAuthAsmMakeConnecting:1984 Deleting Dynamic filter dot1x_ge-9/0/12_DOT1X_dotmac_1062e5a653c9
    May 16 12:01:08.807800 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 0 Reauth Count 0
    May 16 12:01:08.808745 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 12:01:08.809062 Processing complete for frame received on interface ge-9/0/12
    May 16 12:01:08.809359 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 12:01:08.822404 EAPOL packet received on interface ge-9/0/12.0
    May 16 12:01:08.822818 Invoking state machine for frame received on interface ge-9/0/12
    May 16 12:01:08.824360 Queuing message to auth client to validate mac address 10:62:e5:a6:53:c9, user host/N00074.kelprojektas.intra on interface ge-9/0/12.0
    May 16 12:01:08.824538 Processing complete for frame received on interface ge-9/0/12
    May 16 12:01:08.982677 IFF Message: IFD ge-9/0/12 info:IFL 0 devindex 774
    RTSOCK Info ge-9/0/12.adr_family vpls devindex 774
    May 16 12:01:08.982938 handle_iff OP = 2 ifl:(ge-9/0/12.0) idx:(690)
    May 16 12:01:08.983226 pnac_ifbd_delete: ifbd deleted sucessfully for name:ge-9/0/12.0 bd:4 vlan:103 flags=0x0000
    May 16 12:01:09.236381 Invoking state machine for authentication response for mac 10:62:e5:a6:53:c9 on intf ge-9/0/12.0
    May 16 12:01:09.237247 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 12:01:09.239080 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 1 Reauth Count 0
    May 16 12:01:09.239504 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 12:01:09.240126 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 12:01:09.240317 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 12:01:09.252343 EAPOL packet received on interface ge-9/0/12.0
    May 16 12:01:09.252677 Invoking state machine for frame received on interface ge-9/0/12
    May 16 12:01:09.254467 Queuing message to auth client to validate mac address 10:62:e5:a6:53:c9, user host/N00074.kelprojektas.intra on interface ge-9/0/12.0
    May 16 12:01:09.254683 Processing complete for frame received on interface ge-9/0/12
    May 16 12:01:09.430177 Invoking state machine for authentication response for mac 10:62:e5:a6:53:c9 on intf ge-9/0/12.0
    May 16 12:01:09.431104 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 12:01:09.431682 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 2 Reauth Count 0
    May 16 12:01:09.432046 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 12:01:09.432641 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 12:01:09.432890 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 12:01:09.444918 EAPOL packet received on interface ge-9/0/12.0
    May 16 12:01:09.445234 Invoking state machine for frame received on interface ge-9/0/12
    May 16 12:01:09.446696 Queuing message to auth client to validate mac address 10:62:e5:a6:53:c9, user host/N00074.kelprojektas.intra on interface ge-9/0/12.0
    May 16 12:01:09.446860 Processing complete for frame received on interface ge-9/0/12
    May 16 12:01:09.623156 Invoking state machine for authentication response for mac 10:62:e5:a6:53:c9 on intf ge-9/0/12.0
    May 16 12:01:09.624018 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 12:01:09.624474 ASM CONNECTING : Intf ge-9/0/12.0: ReqId Count 3 Reauth Count 0
    May 16 12:01:09.624798 Queuing EAPOL frame to be transmitted out on interface ge-9/0/12
    May 16 12:01:09.625448 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 12:01:09.625659 EAPOL frame transmitted out on interface (ge-9/0/12.0)
    May 16 12:01:09.731040 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 12:01:15.642900 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 12:01:15.643093 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 12:01:19.731707 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 12:01:20.697716 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 12:01:26.046450 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 12:01:26.046655 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 12:01:30.706630 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 12:01:31.190607 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 12:01:33.973228 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 12:01:33.973421 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 12:01:37.132645 Mac address 10:62:e5:a6:53:c9  on interface ge-9/0/12.0 NOT found in Static list
    May 16 12:01:37.132846 pnac_pvlan_bd_lookup(PVLAN)  primary bd 2 for ifl ge-9/0/12.0 NOT Present
    May 16 12:01:39.634873 ASM TxWhenTimer CONN: If ge-9/0/12.0: TxReqId Count 4 Max Req 2
    May 16 12:01:39.634940 Captive portal is not enabled for interface:ge-9/0/12.0
    May 16 12:01:39.636157 pnac_get_filter_term:1206 Term: dot1x_ge-9/0/12_DOT1X_dotmac_1062e5a653c9 Filter op:0, Term op:0 Prev term name:
    May 16 12:01:39.636764 CP_DEBUG:install_cp_filters:409: term being added: dot1x_ge-9/0/12_DOT1X_dotmac_1062e5a653c9.
    May 16 12:01:39.637397 Adding and attaching filter:dot1x_ge-9/0/12 to interface:ge-9/0/12.
    May 16 12:01:39.637756 GUESTVLAN: Non-responsive host \x10b▒S▒ \x01▒*f on port ge-9/0/12.0moved to Guest VLAN tele
    May 16 12:01:39.685131 pnac_ifbd_create ifl ge-9/0/12.0 bd 4 vlan 103
    May 16 12:01:39.685222 pnac_ifbd_update_flags: ifbd sucess for name:ge-9/0/12.0 bd:4 vlan:103 flags=0x0000
    May 16 12:01:39.685389 pnac_pvlan_bd_lookup(PVLAN)  primary bd 4 for ifl ge-9/0/12.0 NOT Present
    May 16 12:01:39.787017 IFF Message: IFD ge-9/0/12 info:IFL 0 devindex 774
    RTSOCK Info ge-9/0/12.adr_family vpls devindex 774
    May 16 12:01:39.787317 handle_iff OP = 2 ifl:(ge-9/0/12.0) idx:(690)
    

    Lastly i'll include a PCAP picture from the NPS server:



    ------------------------------
    Andreas
    ------------------------------


  • 2.  RE: EX3400 - 20.4R3 - Dot1x reauth for guests

    Posted 08-14-2023 09:26

    Is there anyone out there willing to have a stab at to why this happens?



    ------------------------------
    Andreas
    ------------------------------



  • 3.  RE: EX3400 - 20.4R3 - Dot1x reauth for guests

    Posted 08-17-2023 15:37

    Hello Anf. 

    I don't know if you are seeing the same things as me but it may be related. We have a bunch of old printers that are connected with Dot1X with Dynamic VLAN assignment. The problem we are seeing is if we reboot the printer, it works fine for a short time but suddenly they are no longer accessible to print. One thing with these printers is they are silent if not being used. 

    After some digging, it looks like the authentication is dropped once the MAC address is removed from the address table.  Therefore needing to re-authenticate when they want to talk again. Way before the re-authenticate time.



    ------------------------------
    YVON LEDUC
    ------------------------------



  • 4.  RE: EX3400 - 20.4R3 - Dot1x reauth for guests

    Posted 08-17-2023 15:56

    Yes, I encountered the problem with "quiet" devices dropping out of authentication.  I proposed the solution that Juniper eventually implemented--using DHCP Snooping bindings to retain the session:  

    How to Retain the Authentication Session Using IP-MAC Bindings - TechLibrary - Juniper Networks



    ------------------------------
    Chuck Anderson
    ------------------------------



  • 5.  RE: EX3400 - 20.4R3 - Dot1x reauth for guests

    Posted 08-17-2023 16:07

    Thanks Chuck,   will have a look in more details but this sounds promising. The description is bang on it !!



    ------------------------------
    YVON LEDUC
    ------------------------------



  • 6.  RE: EX3400 - 20.4R3 - Dot1x reauth for guests

    Posted 08-18-2023 03:48

    Hello Yvon,

    Thanks for your reply, i'm afraid this is not similar at all at this moment since Juniper behaves very differently depending on mac-radius or dot1x authentication.

    I've actually gotten further with my troubleshooting and thought i found a solution but for some reason the 'eapol-block' doesn't kick in, your welcome to have a look at a new thread post here:
    https://community.juniper.net/discussion/ex33ex34-dot1x-server-reject-vlan-with-eapol-block-doesnt-trigger#bm78884706-0e76-41fb-ab50-14f508eb422a
    I've sent similar questions to my co-drive partner and it's look like escalating to Juniper is going to be the answer this time..

    I've actually also tried adding different authentication-orders to see if the 'eapol-block' will work with mac-radius instead since it's going to fail dot1x and try mac-radius afterwards. This has not gotten me any closer i'm afraid.
    Thankfully we don't have your problem since our printers do support dot1x, but i hope the answers from Chuck gav you something to test further with.
    Dot1x has worked great with authenticated clients but this is starting to get on my nervous, a similar setup with HP Aruba switches "just works"..

    Thanks for the replies and help.

    //Andreas



    ------------------------------
    Andreas
    ------------------------------