For Captive Portal to work you must be running at least 15.1R6S3, for Juniper Port Bounce (Needed if you're going to do CoA with a different VLAN/Subnet) to work you must be running at least 17.3R1
Check the JTAC recommended release here
https://kb.juniper.net/InfoCenter/index?page=content&id=KB21476
Also Check Out the fine ASE solution here:
https://ase.arubanetworks.com/solutions/id/97
TACACS+ Admin Access
Create Login Class
set system login class su-with-timeout idle-timeout 30
set system login class su-with-timeout permissions all
Create remote User
set system login user <TACACS Username> uid 1111
set system login user <TACACS Username> class su-with-timeout
Setup NTP
set system ntp boot-server <Your NTP1>
set system ntp server <Your NTP1> version 3
set system ntp server <Your NTP1> prefer
set system ntp server <Your NTP2> version 3
Set the Server
set system tacplus-server <CPPM-VIP-IP-Address> secret <TACACS+ Shared Secret>
set system tacplus-server <CPPM-VIP-IP-Address> source-address <IRB IP>
set system tacplus-server <CPPM-VIP-IP-Address> timeout 30
set system authentication-order [ tacplus password ]
TACACS accounting
set system accounting events [ change-log login ]
set system accounting destination tacplus server <CPPM-VIP-IP-Address> secret <TACACS+ Shared Secret> timeout 30
set system accounting destination tacplus server <CPPM-VIP-IP-Address> source-address <IRB IP>
Reference:
https://www.juniper.net/documentation/en_US/junos/topics/concept/access-privileges-levels-overview.html
RADIUS Port Authentication
HTTPS Redirect
Send Juniper-Switch-filter rather than CWA filter
Juniper:Juniper-CWA-Redirect-URL” = https://ClearPass FQDN/guest/YourPage.php?&mac=%{Radius:IETF:Calling-Station-Id
Do not send built in CWA filter sent a Juniper-Switching-Filter instead:
Juniper-Switching-Filter = match destination-ip <ClearPass-VIP> ip-protocol 6 destination-port 443 action allow
Ref: https://amzia.wordpress.com/2018/11/30/juniper-ex-cwa-cisco-ise/#jp-carousel-128
Ref: https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/user-access-radius-authentication.html#id-juniper-switching-filter-vsa-match-conditions-and-actions
ClearPass service assumes the default port configuration is configured for the authenticated user VLAN
delete interfaces ge-0/0/x unit 0 family ethernet-switching vlan members
set interfaces ge-0/0/x unit 0 family ethernet-switching vlan members <Default VLAN>
Enable HTTP and HTTPS services.
These services must be enabled for URL redirection. Please ensure that you have proper firewall filters to block management access.
set system services web-management http
set system services web-management https system-generated-certificate
Setup NTP
If you did not set up NTP with TACACS above please ensure NTP is properly configured.
set system ntp boot-server <Your NTP1>
set system ntp server <Your NTP1> version 3
set system ntp server <Your NTP1> prefer
set system ntp server <Your NTP2> version 3
Radius Server Configuration
set access profile ClearPass_Auth radius authentication-server <CPPM-VIP-IP-Address>
set access profile ClearPass_Auth accounting-order radius
set access profile ClearPass_Auth authentication-order radius
set access profile ClearPass_Auth radius accounting-server <CPPM-VIP-IP-Address>
set access profile ClearPass_Auth radius options nas-identifier JuniperSwitch
set access radius-options interim-rate 60
DHCP Forwarding Options
set forwarding-options dhcp-relay group DHCP_Relay interface <L3 Interfaces>
set forwarding-options dhcp-relay server-group DHCP_Relay <CPPM1-IP-Address>
set forwarding-options dhcp-relay server-group DHCP_Relay <CPPM2-IP-Address>
Port Authentication (Dot1x/MAC)
set protocols dot1x authenticator no-mac-table-binding
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all supplicant multiple
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius authentication-protocol pap
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius flap-on-disconnect
ASE Recommended Timers
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all quiet-period 10
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all transmit-period 5
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all reauthentication 600
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all supplicant-timeout 10
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all server-timeout 5
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all maximum-requests 3
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all server-fail use-cache
Disable 802.1x (MAC Auth Only)
set protocols dot1x authenticator authentication-profile-name ClearPass_Auth interface all mac-radius restrict
Firewall Filters
Port ACL/Firewall filters can be passed back from ClearPass as a Filter-ID.
GuestUserFilter
set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer from destination-port 68
set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer from ip-protocol udp
set firewall family ethernet-switching filter GuestUserFilter term BlockDHCPServer then discard
set firewall family ethernet-switching filter GuestUserFilter term ra-guard from icmp-type router-advertisement
set firewall family ethernet-switching filter GuestUserFilter term ra-guard from icmp-type ip-protocol icmp6;
set firewall family ethernet-switching filter GuestUserFilter term ra-guard then discard
set firewall family ethernet-switching filter GuestUserFilter term <YourResource> from ip-destination-address <IP Address>
set firewall family ethernet-switching filter GuestUserFilter term <YourResource> from destination-port [ <Ports Used> ]
set firewall family ethernet-switching filter GuestUserFilter term <YourResource> then accept
set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from destination-port domain
set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from ip-destination-address <Internal DNS / DNS Proxy If Needed>/32
set firewall family ethernet-switching filter GuestUserFilter term AllowDNS from ip-destination-address <Internal DNS / DNS Proxy If Needed>/32
set firewall family ethernet-switching filter GuestUserFilter term AllowDNS then accept
set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_10 from ip-destination-address 10.0.0.0/8
set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_10 then discard
set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_172 from ip-destination-address 172.16.0.0/12
set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_172 then discard
set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_192 from ip-destination-address 192.168.0.0/16
set firewall family ethernet-switching filter GuestUserFilter term BlockRFC1918_192 then discard
set firewall family ethernet-switching filter GuestUserFilter term AllowInternet then accept
AuthorizedUserFilter
set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer from source-port 68
set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer from ip-protocol udp
set firewall family ethernet-switching filter AuthorizedUserFilter term BlockDHCPServer then discard
set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard from icmp-type router-advertisement
set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard from icmp-type ip-protocol icmp6;
set firewall family ethernet-switching filter AuthorizedUserFilter term ra-guard then discard
set firewall family ethernet-switching filter AuthorizedUserFilter term term allowall then accept
References:
https://ase.arubanetworks.com/solutions/id/97
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/radius-authentication-configuring.html
https://www.juniper.net/documentation/en_US/junos/topics/concept/802-1x-pnac-vsa-understanding.html
https://www.juniper.net/documentation/en_US/release-independent/nce/information-products/pathway-pages/nce/nce-159-aruba-device-profiling.pdf
https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/nce160-example-aruba-guest-access.html
https://www.juniper.net/documentation/en_US/junos/topics/concept/aaa-radius-coa-overview.html
https://www.juniper.net/documentation/en_US/release-independent/nce/information-products/pathway-pages/nce/nce-157-aruba-dot1x-mac-configuring.pdf
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/central-web-authentication-configuring.html
https://www.juniper.net/documentation/en_US/junos/topics/example/authentication-captive-portal-els.html
https://www.juniper.net/documentation/en_US/junos/topics/reference/general/authentication-process-flow-chart-ex-series-switches.html
VoIP LLDP Med
https://www.juniper.net/documentation/en_US/junos/topics/example/802-1x-pnac-voip-ex-series-configuring.html