Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Urgent help needed with ACS5.4 for Juniper SRX please

Hello again CSC,

Is there an ACS 5.x expert on this site who can help me setup for phone dot1x supplicants connected to Juniper SRX ports please?

- Our ACS setup works for phone supplicants on our Cisco 3750s & 6509s, but not on the Juniper SRX240.

- ACS logs are GREEN Authenticated but phones still not getting link, or dhcp, and not registered.

- If I disable dot1x on Juniper switch ports the phones work perfectly.

I have configured Policy Element > Authorisation Profile "cisco-av-pair device-traffic-class=voice" so phones can access voice-vlans on the Cisco NASs.

Do I need an equivilent policy for a Juniper NAS please?

I asked this question previously and just hoping for better luck this time.

Regards,

Paul

3 REPLIES
Silver

Urgent help needed with ACS5.4 for Juniper SRX please

Paul,

See if this helps:

http://blog.inetsix.net/2012/10/802-1x-layer-2-scenario-juniper-ex-series-sample-configuration/

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
Community Member

Urgent help needed with ACS5.4 for Juniper SRX please

Hi Ed,

I may be missing your point but I see nothing ACS related in that link just general descriptive guff about dot1x technology.  But thanks anyway for posting...

Silver

Urgent help needed with ACS5.4 for Juniper SRX please

Paul,

I agree, nothing ACS related, but I don't think you need anything on the ACS for this.

Which mode are you using?

  • supplicant single; #will authenticate the first device seen on the switch port, and open the port globally
  • supplicant single-secure; #will authenticate only  the first device on the switch port and open the port for it, but will  drop traffic for others @mac (to avoid an authenticated client behind a  hub device, opening the port for many unauthicated clients, which is  possible in “single” mode)
  • supplicant multiple; #will authenticate each client  (on a @mac basis) separately. Each one can belon to a different vlan or  have its specific options. Max limit is 8 devices per port actually on  EX series.
  • mac-radius: Activate mac-radius authentication. If a  device can’t answer EAPol “request identity” frames, the EX will forge a  Radius access-request using @mac as username to authenticates the  client (if the authentication is configured to accept this case). It is  very usefull to authenticates IP Phones for example, or other devices  like printers, IP cameras, who doesn’t have 802.1x functionnalities.  Note that this mode is way more unsecure than a real 802.1X  authentication.
  • The number of EAPol retries from EX before passing to mac-radius mode can be configured in “Protocols > Dot1x”
  • mac-radius restrict; #The mac-radius described will  be used only, no EAPol frames will be send from EX to client, EX will  takes client @mac an send a Radius access request with it as soon as he  see the device.

I will see if I can help.

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
307
Views
0
Helpful
3
Replies
CreatePlease to create content