Hi Chris,
Here's some JUNOS code examples for MAC auth:
ge-0/0/9.0 {
supplicant multiple;
transmit-period 5;
mac-radius;
reauthentication 600;
server-timeout 3;
maximum-requests 3;
The above example will allow MAC authentication as a failback in case 802.1x fails. Here's a slightly modified example:
ge-0/0/9.0 {
supplicant multiple;
transmit-period 5;
mac-radius {
restrict;
}
reauthentication 600;
server-timeout 3;
maximum-requests 3;
This example will ONLY perform MAC authentication on this port.
The thing that you need to do in Clearpass to get MAC authentication working is to either:
i. Put the MAC address into a static host list
ii. Create a local user with the username and password of the MAC Address.
I don't believe that JUNOS has a way to redirect users to Clearpass. Here's how you'd direct a switch to their UAC appliance:
services {
unified-access-control {
infranet-controller Clearpass {
address 10.10.102.253;
interface ge-0/0/1;
password "$9$8XCXxdwYoDHmWLxdbwg4QF39uO"; ## SECRET-DATA
}
}
I've tried setting this up using Clearpass as the destination UAC and I haven't got it to work. I should grab a packet capture on Clearpass when it tries to do the above to see if there's a way I can format the address field. That will probably require a change from Juniper to redirect to a standard Captive Portal engine or for Clearpass to come up with a custom script that rewrites this communication into something Guest understands.
-Mike