@aboj wrote:
Tim, we have exactly the same scenario but with more predominant windows based platforms. Would you mind posting the juniper configs related to the authentication?
Thanks in advance.
See if this helps:
JUNIPER SWITCH CONFIG:
RADIUS AUTHENTICATION:
set access radius-server <CLEARPASS-SERVER-IP> secret <SHARED-KEY>
set access radius-server <CLEARPASS-SERVER-IP> source-address <SWITCH-IP>
set access profile <CLEARPASS-PROFILE-NAME> authentication-order radius
set access profile <CLEARPASS-PROFILE-NAME> radius authentication-server <CLEARPASS-SERVER-IP>
RADIUS ACCOUNTING:
set access profile <CLEARPASS-PROFILE-NAME> radius accounting-server <CLEARPASS-SERVER-IP>
set access profile <CLEARPASS-PROFILE-NAME> accounting order radius
set access profile <CLEARPASS-PROFILE-NAME> accounting accounting-stop-on-failure
set access profile <CLEARPASS-PROFILE-NAME> accounting accounting-stop-on-access-deny
set access profile <CLEARPASS-PROFILE-NAME> accounting immediate-update
set access profile <CLEARPASS-PROFILE-NAME> accounting update-interval 12
set access profile <CLEARPASS-PROFILE-NAME> accounting statistics time
INTERFACE/VLAN CONFIG:
Guest VLAN
This is where a nonresponsive supplicant is placed. Nonresponsive happens because the client does not have the 802.1x supplicant software installed or configured. They are not trying to attempt any authentication to the network.
Server Reject VLAN
This is where an authentication attempt was made by supplicant or mac address and the authentication failed.
VLANS CONFIG:
set vlans FULL-ACCESS-VLAN vlan-id <FULL-ACCESS-VLAN-ID>
set vlans GUEST-VLAN vlan-id <GUEST-VLAN-ID>
INTERFACE CONFIG:
set interfaces <INTERFACE-NAME> description "<PORT DESCRIPTION>"
set interfaces <INTERFACE-NAME> unit 0 family ethernet-switching port-mode access
set interfaces <INTERFACE-NAME>unit 0 family ethernet-switching vlan members <VLAN-ID>
set protocols dot1x authenticator authentication-profile-name <CLEARPASS-PROFILE-NAME>
set protocols dot1x authenticator interface <INTERFACE-NAME>supplicant multiple
set protocols dot1x authenticator interface <INTERFACE-NAME>transmit-period 5
set protocols dot1x authenticator interface <INTERFACE-NAME>reauthentication 600
set protocols dot1x authenticator interface <INTERFACE-NAME>server-timeout 3
set protocols dot1x authenticator interface <INTERFACE-NAME> maximum-requests 3
set protocols dot1x authenticator interface <INTERFACE-NAME> server-fail use-cache
set protocols dot1x authenticator interface <INTERFACE-NAME>retries 4
set protocols dot1x authenticator interface <INTERFACE-NAME> server-reject-vlan <REJECT-VLAN-ID>
set protocols dot1x authenticator interface <INTERFACE-NAME> guest-vlan <GUEST-VLAN-ID>