Security

I am trying to push a dynamic firewall filter to a juniper switch during a 802.1x login.

dot1x is working, vlan assignment is working, I can send a filter name to the switch via the radius attribute Filter-Id

When I try to remove the Filter-Id and replace it with a dynamic filter using the radius attribute Juniper-Switching-Filter, it does not work.

Following this post:

https://www.juniper.net/techpubs/en_US/junos13.1/topics/task/configuration/802-1x-filtering-with-radius-attributes-ex-series.html

I have added this attribute to the radius dictionary

I have created an Enforcement Profile that just sends

The dot1x on the wired port is successful, however the filter does not get applied.

In clearpass when I check the "Access Tracker" it does not indicate that the radius attribute was sent to the switch. 

I do not see any errors in the "Event Viewer" where else can I look?  Any Ideas, anyone?

The logs show:

I added the radius attribute by exporting the juniper radius dictionary, modifiying it and uploading it.  Should I have done something else?

I just tried what you did now.

Export, added the extra command, imported, enabled the dictionary.

Then I just created a Enf profile with the same you did, added it to the Enf policy and boom - out it went :)

So - did you enable the Dictionary? *duh*

Does the Deictionary view compare to this screenshot?

As you can see - it shows clearly in the Output (which is a mac-auth service):

Post some screens and we'll see what we can read from those :)

John,

Thanks for the response.  I found a note that when changing the radius dictionary the Policy Server and the Radius Server must be restarted.    So I have done that and I now see that the radius attribute is being sent to the juinper switch.  

I was not seeing the radius response before I restarted the Policy and Radius Servers

The problem has now moved into the Juniper switch. The dot1x logs on the Juniper EX3300 show:

Mar 31 09:17:21.724792 Received filter string "match destination-ip 155.246.21.0/24 action deny" from authentication server
Mar 31 09:17:21.725847 filter parser: Invalid input. Unknown field m
Mar 31 09:17:21.725881 filter parser: Invalid match/action field. Discarding input

So it would appear that I don't have the syntax of the filter correct.   When you tried this, did the filter get applied?  I am doing this on an EX3300 juniper switch running Junos 12.3R3.4.

All,

I'm also interested in this topic. Here's a Juniper tech pub that I found which could help:

http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/802-1x-filtering-with-radius-attributes-ex-series.html

I'll try hopping onto an EX in the next few days to also help with this topic, if it's not solved before then.

Thanks!

-Mike

All,

I also posted a similar question to the Juniper Forums last year:

http://forums.juniper.net/t5/Ethernet-Switching/Dynamic-Firewall-filters-to-an-EX-via-RADIUS-VSA/td-p/220771

-Mike

Mike,

I found that same artical about what should work and had the same question about the "Juniper-Firewall-Filter" vs. "Juniper-Switching-Filter".  Neither of them worked for me.  Thanks for pointing me at your forum post, I am not a juniper customer just yet so I can't respond via the forum.   I have escalted this with my Juniper SE.

By turning on a bunch of debugging, I got the errors out of the switch

protocols {

    dot1x {
        traceoptions {
            file dot1x;
            flag dot1x-debug;
            flag general;
            flag normal;
            flag state;
            flag parse;
            flag vlan;
        }

Mar 31 10:55:54.160650 Received filter string "match destination-ip 155.246.21.0/24 action deny" from authentication server
Mar 31 10:55:54.162233 filter parser: Invalid input. Unknown field m
Mar 31 10:55:54.162265 filter parser: Invalid match/action field. Discarding input

I will let you know how it goes.

--Chris

Hi Chris,

For as much as I love JUNOS, it often can drive me crazy. Question for you: are you just looking to implement the downloadable ACLs? The only things that I have not gotten to work are:

1. Captive Portal redirect to something other than their UAC platform.

2. Downloading ACLs via the swtiching profile

I've been able to get the following to work:

1. 802.1x

2. 802.1x + MAC auth fail through

3. 802.1x fails > MAC auth fail > Captive Portal

4. 802.1x fail > server fail VLAN

5. 802.1x fail > guest VLAN

6. MAC auth only using EAP-MD5 contained in a Clearpass static host list. The username and the password are both the MAC address.

7. 802.1x with a VLAN ID being sent from Clearpass

8. 802.1x with a dynamic firewall via the Filter-ID sent from Clearpass

9. Authenticating the EX captive portal using EAP-MD5 and local users in Clearpass

Let me know if you're also having trouble with any of the stuff that I have working and I'll post a solution to that as well.

-Mike

MIke,

It seems like we are on parallel paths

I have dot1x with dynamic vlan and filter_id working

I have not started the mac auth, yet.  So please share.

Then I want to get captive portal working with the portal on the cleapass server, not a switch based protal.

chose at Stevens Institute of Technology

Hi Chris,

Here's some JUNOS code examples for MAC auth:

ge-0/0/9.0 {
   supplicant multiple;
   transmit-period 5;
   mac-radius;
   reauthentication 600;
   server-timeout 3;
   maximum-requests 3;

The above example will allow MAC authentication as a failback in case 802.1x fails. Here's a slightly modified example:

ge-0/0/9.0 {
   supplicant multiple;
   transmit-period 5;
   mac-radius {

      restrict;

   }
   reauthentication 600;
   server-timeout 3;
   maximum-requests 3;

This example will ONLY perform MAC authentication on this port.

The thing that you need to do in Clearpass to get MAC authentication working is to either:

i. Put the MAC address into a static host list

ii. Create a local user with the username and password of the MAC Address. 

I don't believe that JUNOS has a way to redirect users to Clearpass. Here's how you'd direct a switch to their UAC appliance:

services {
   unified-access-control {
      infranet-controller Clearpass {
      address 10.10.102.253;
      interface ge-0/0/1;
      password "$9$8XCXxdwYoDHmWLxdbwg4QF39uO"; ## SECRET-DATA
   }
}

I've tried setting this up using Clearpass as the destination UAC and I haven't got it to work. I should grab a packet capture on Clearpass when it tries to do the above to see if there's a way I can format the address field. That will probably require a change from Juniper to redirect to a standard Captive Portal engine or for Clearpass to come up with a custom script that rewrites this communication into something Guest understands.

-Mike

Hi Chris,

I gave it another poke tonight and still no luck. I'll try getting back to this in the next week or so. Definitely let me know if the Juniper SE points you in the right direction.

Thanks!

-Mike

WIth the help of Juniper I got one match statement to load.

The upper/lower case was very very important.  The "M", "D" & "A" all had to be caps, the "d" in deny needed to be lower case.

"Match Destination-ip 0.0.0.0/24 Action allow"

The filter is not working for me at this point it seems like I do not have any connectivity.

Also, I have not been able to get mulitply VSA's loaded yet.

Stay tuned.

Chris

Hi Chris,

I actually opened a JTAC case on this issue yesterday. I'll let you know when I get something to work, as well.

-Mike

Hi Chris,

You mentioned that you were able to get it to work. Do you have a screen capture of that? I tried the following:

Radius:Juniper - Juniper-Switching-Filter - "Match Destination-ip 8.8.8.8/32 Action deny"

without any luck. I just uploaded a set of traceoptions to JTAC for their analysis on the above and for some hopeful guidance. I'll let you know if / when I hear anything.

Thanks!

-Mike

Hi Chris,

I think this is going to be a longer term issue with Juniper. I think this is something that will be addressed in a future release. I'll update this post when / if I hear back. I wouldn't hold your breath at this point.

Sorry, I'm sure you were hoping for better news.

-Mike

Curious...is there an update to this?

Hi Seth,

Juniper is working to address this issue in a software release. I haven't heard an ETA for it. My guess is the new partnership with Aruba should help to integrate their EX line with Clearpass. I'll reach back out to them to see if I can find out some new information.

-Mike

Hello boston1630 

Can you please share with us the configuration you used to get 802.1x with a dynamic firewall via the Filter-ID sent from Clearpass?

Thanks

Hi Raj07,

I opened a JTAC case on this issue and there hasn't been any movement on it. Sorry, I don't think this is possible at this point.

-Mike