Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Dynamic Tagged vlans for Juniper EX 3300 switch

This thread has been viewed 2 times

  • 1.  Dynamic Tagged vlans for Juniper EX 3300 switch

    Posted Nov 26, 2019 06:40 AM

    Hi 

     

    I'm deploying Aruba ClearPass with Juniper EX 3300 switches and Instant AP. I would like IAPs to use supplicant and authenticate on switch ports, but I have got stuck on setting tagged vlans for port where IAP is connected. I use some SSID with different VLANs and all of them must be set on the port as tagged vlans. 

     

    Anyone have any experience what attributes should I send from ClearPass to Juniper EX switch to achieve this ? 

    Maybe just Juniper-Voip-vlan attribnute but what about many vlans ? 

     

    Tkanks in advances 

     

    Karol 



  • 2.  RE: Dynamic Tagged vlans for Juniper EX 3300 switch

    Posted Nov 26, 2019 08:28 AM

    Im think you need junos 18 on the switches and i am not sure if you can dynamicly assign vlans on trunks on juniper.

     

    see here https://www.juniper.net/documentation/en_US/junos/topics/topic-map/802-1x-authentication-switching-devices.html



  • 3.  RE: Dynamic Tagged vlans for Juniper EX 3300 switch

    Posted Nov 26, 2019 09:17 AM

    Hi 

     

    Yes, You are probably right, I have also digged through Juniper docs and it seems that it maybe not supported on EX 3300 (last version is 15.x) 

    I have tried to turn 8021x on trunk port on my switch but it says that it is not aloowed. 

    I wonder if there is any workaround for the issue to achive the aim but for this moment I don't see any, only leave switchport for AP unprotected (I mean without 802.1x ora MAB) 

     

    regards

     

    K



  • 4.  RE: Dynamic Tagged vlans for Juniper EX 3300 switch

    Posted Nov 26, 2019 10:37 AM

    I'm a little confused by what you are trying to accomplish

    Are you trying to use the switch as the authenticator, or the IAP?

    On Juniper you can set the interface mode to be access, then under dot1x protocols, set the supplicant mode to be multiple, then the Juniper Switch will authenticate each device individually, and put them on different VLANs (i.e, you can have x amount of MAC address on one port, all in different VLANs)

    If you are attempting to use the IAP (I apologize in advance, I don't know a lot about the IAPs), why not just setup a regular trunk on the juniper, and have the IAP tag the VLANs out that Clearpass returns?



  • 5.  RE: Dynamic Tagged vlans for Juniper EX 3300 switch

    Posted Nov 27, 2019 05:36 AM

    Hi Chris

    Thanks for response

     

    I want to authenticate IAP itself, so to use supplicant build in IAP itself  and the role of switch is authnticator for IAP, ClearPass is radius server. 

    I'm deploying ClearPass and want to have colorless ports on switch with the same config. 

    This concerns only IAP itself not user traffic. IAP authenticate to netwotk during startup only before any user traffic goes. 

     

    I have received some info from Juniper guys that 802.1x is not supported for EX3300 for trunk ports. 

     

    My only idea for this moment is to tunnel traffic with GRE tunnel fro IAP to firewall, but It is always a little bit compliated. 

     

    regards

    Karol