Security

Reply
Occasional Contributor I
Posts: 5
Registered: ‎03-03-2014

has anyone every gotten the radius attribute Juniper-Switching-Filter to work?

I am trying to push a dynamic firewall filter to a juniper switch during a 802.1x login.

dot1x is working, vlan assignment is working, I can send a filter name to the switch via the radius attribute Filter-Id

 

When I try to remove the Filter-Id and replace it with a dynamic filter using the radius attribute Juniper-Switching-Filter, it does not work.

 

Following this post:

https://www.juniper.net/techpubs/en_US/junos13.1/topics/task/configuration/802-1x-filtering-with-radius-attributes-ex-series.html

 

I have added this attribute to the radius dictionary

 

I have created an Enforcement Profile that just sends

Radius:JuniperJuniper-Switching-Filter="match destination-ip 155.246.21.0/24 action deny"

The dot1x on the wired port is successful, however the filter does not get applied.

In clearpass when I check the "Access Tracker" it does not indicate that the radius attribute was sent to the switch. 

I do not see any errors in the "Event Viewer" where else can I look?  Any Ideas, anyone?

The logs show:

2014-03-28 15:13:39,106[RequestHandler-1-0x7f4c3fdfe700 h=215344 c=R00002a86-06-5335c9e2] ERROR Common.RadiusDictTable - No Attribute for VendorId = 2636, AttrId = 48
2014-03-28 15:13:39,106[RequestHandler-1-0x7f4c3fdfe700 h=215344 c=R00002a86-06-5335c9e2] ERROR Common.RadiusVendorAttrMap - Invalid attribute Id=48 Vendor=Juniper
2014-03-28 15:13:39,106[RequestHandler-1-0x7f4c3fdfe700 h=215344 c=R00002a86-06-5335c9e2] ERROR Common.BaseRadiusEnfProfileCacheObj - Failed to insert Vendor=Juniper attrId=48 Value="match destination-ip 155.246.21.0/24 action deny"
 

 

I added the radius attribute by exporting the juniper radius dictionary, modifiying it and uploading it.  Should I have done something else?

 

MVP
Posts: 520
Registered: ‎05-11-2011

Re: has anyone every gotten the radius attribute Juniper-Switching-Filter to work?

 

 

I just tried what you did now.

Export, added the extra command, imported, enabled the dictionary.

Then I just created a Enf profile with the same you did, added it to the Enf policy and boom - out it went :)

 

So - did you enable the Dictionary? *duh*

Does the Deictionary view compare to this screenshot?

ah-28.03.png

 

 

As you can see - it shows clearly in the Output (which is a mac-auth service):

 

ah-2-28.03.png

 

Post some screens and we'll see what we can read from those :)

 

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Occasional Contributor I
Posts: 5
Registered: ‎03-03-2014

Re: has anyone every gotten the radius attribute Juniper-Switching-Filter to work?

John,

Thanks for the response.  I found a note that when changing the radius dictionary the Policy Server and the Radius Server must be restarted.    So I have done that and I now see that the radius attribute is being sent to the juinper switch.  

Screen Shot 2014-03-31 at 9.24.41 AM.png
 

I was not seeing the radius response before I restarted the Policy and Radius Servers

 

The problem has now moved into the Juniper switch. The dot1x logs on the Juniper EX3300 show:

Mar 31 09:17:21.724792 Received filter string "match destination-ip 155.246.21.0/24 action deny" from authentication server
Mar 31 09:17:21.725847 filter parser: Invalid input. Unknown field m
Mar 31 09:17:21.725881 filter parser: Invalid match/action field. Discarding input

So it would appear that I don't have the syntax of the filter correct.   When you tried this, did the filter get applied?  I am doing this on an EX3300 juniper switch running Junos 12.3R3.4.

 

MVP
Posts: 371
Registered: ‎01-14-2010

Re: has anyone every gotten the radius attribute Juniper-Switching-Filter to work?

All,

 

I'm also interested in this topic. Here's a Juniper tech pub that I found which could help:

 

http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/802-1x-filtering-with-radius-attributes-ex-series.html

 

I'll try hopping onto an EX in the next few days to also help with this topic, if it's not solved before then.

 

Thanks!

 

-Mike

MVP
Posts: 371
Registered: ‎01-14-2010

Re: has anyone every gotten the radius attribute Juniper-Switching-Filter to work?

All,

 

I also posted a similar question to the Juniper Forums last year:

 

http://forums.juniper.net/t5/Ethernet-Switching/Dynamic-Firewall-filters-to-an-EX-via-RADIUS-VSA/td-p/220771

 

-Mike

Occasional Contributor I
Posts: 5
Registered: ‎03-03-2014

Re: has anyone every gotten the radius attribute Juniper-Switching-Filter to work?

Mike,

I found that same artical about what should work and had the same question about the "Juniper-Firewall-Filter" vs. "Juniper-Switching-Filter".  Neither of them worked for me.  Thanks for pointing me at your forum post, I am not a juniper customer just yet so I can't respond via the forum.   I have escalted this with my Juniper SE.

 

By turning on a bunch of debugging, I got the errors out of the switch

protocols {

    dot1x {
        traceoptions {
            file dot1x;
            flag dot1x-debug;
            flag general;
            flag normal;
            flag state;
            flag parse;
            flag vlan;
        }

Mar 31 10:55:54.160650 Received filter string "match destination-ip 155.246.21.0/24 action deny" from authentication server
Mar 31 10:55:54.162233 filter parser: Invalid input. Unknown field m
Mar 31 10:55:54.162265 filter parser: Invalid match/action field. Discarding input

 

I will let you know how it goes.

 

--Chris

MVP
Posts: 371
Registered: ‎01-14-2010

Re: has anyone every gotten the radius attribute Juniper-Switching-Filter to work?

Hi Chris,

 

For as much as I love JUNOS, it often can drive me crazy. Question for you: are you just looking to implement the downloadable ACLs? The only things that I have not gotten to work are:

 

1. Captive Portal redirect to something other than their UAC platform.

2. Downloading ACLs via the swtiching profile

 

I've been able to get the following to work:

 

1. 802.1x

2. 802.1x + MAC auth fail through

3. 802.1x fails > MAC auth fail > Captive Portal

4. 802.1x fail > server fail VLAN

5. 802.1x fail > guest VLAN

6. MAC auth only using EAP-MD5 contained in a Clearpass static host list. The username and the password are both the MAC address.

7. 802.1x with a VLAN ID being sent from Clearpass

8. 802.1x with a dynamic firewall via the Filter-ID sent from Clearpass

9. Authenticating the EX captive portal using EAP-MD5 and local users in Clearpass

 

Let me know if you're also having trouble with any of the stuff that I have working and I'll post a solution to that as well.

 

-Mike

Occasional Contributor I
Posts: 5
Registered: ‎03-03-2014

Re: has anyone every gotten the radius attribute Juniper-Switching-Filter to work?

MIke,

It seems like we are on parallel paths

I have dot1x with dynamic vlan and filter_id working

I have not started the mac auth, yet.  So please share.

Then I want to get captive portal working with the portal on the cleapass server, not a switch based protal.

 

chose at Stevens Institute of Technology

MVP
Posts: 371
Registered: ‎01-14-2010

Re: has anyone every gotten the radius attribute Juniper-Switching-Filter to work?

Hi Chris,

 

Here's some JUNOS code examples for MAC auth:

 

ge-0/0/9.0 {
   supplicant multiple;
   transmit-period 5;
   mac-radius;
   reauthentication 600;
   server-timeout 3;
   maximum-requests 3;

 

The above example will allow MAC authentication as a failback in case 802.1x fails. Here's a slightly modified example:

 

ge-0/0/9.0 {
   supplicant multiple;
   transmit-period 5;
   mac-radius {

      restrict;

   }
   reauthentication 600;
   server-timeout 3;
   maximum-requests 3;

 

This example will ONLY perform MAC authentication on this port.

 

The thing that you need to do in Clearpass to get MAC authentication working is to either:

 

i. Put the MAC address into a static host list

ii. Create a local user with the username and password of the MAC Address. 

 

I don't believe that JUNOS has a way to redirect users to Clearpass. Here's how you'd direct a switch to their UAC appliance:

 

services {
   unified-access-control {
      infranet-controller Clearpass {
      address 10.10.102.253;
      interface ge-0/0/1;
      password "$9$8XCXxdwYoDHmWLxdbwg4QF39uO"; ## SECRET-DATA
   }
}

 

I've tried setting this up using Clearpass as the destination UAC and I haven't got it to work. I should grab a packet capture on Clearpass when it tries to do the above to see if there's a way I can format the address field. That will probably require a change from Juniper to redirect to a standard Captive Portal engine or for Clearpass to come up with a custom script that rewrites this communication into something Guest understands.

 

-Mike

 

 

MVP
Posts: 371
Registered: ‎01-14-2010

Re: has anyone every gotten the radius attribute Juniper-Switching-Filter to work?

Hi Chris,

 

I gave it another poke tonight and still no luck. I'll try getting back to this in the next week or so. Definitely let me know if the Juniper SE points you in the right direction.

 

Thanks!

 

-Mike

Search Airheads
Showing results for 
Search instead for 
Did you mean: