Juniper EX setup guide

JunOS 21.x+

Applies to: Juniper EX 2300/3400/4300 on JunOS 21.x+. Configuration is committed in JunOS-set or hierarchical syntax; set-form shown here for copy-paste friendliness.

Wired — RADIUS server, 802.1X and MAB

Access profile, RADIUS servers, authentication-profile, and per-port dot1x + MAC-radius.

set access radius-server 10.10.10.10 secret ARBITER_PSK
set access radius-server 10.10.10.10 timeout 2
set access radius-server 10.10.10.10 retry 1
set access radius-server 10.10.10.11 secret ARBITER_PSK
set access radius-server 10.10.10.11 timeout 2
set access radius-server 10.10.10.11 retry 1

set access profile ARBITER authentication-order radius
set access profile ARBITER radius authentication-server 10.10.10.10
set access profile ARBITER radius authentication-server 10.10.10.11
set access profile ARBITER radius accounting-server 10.10.10.10
set access profile ARBITER radius accounting-server 10.10.10.11

set protocols dot1x authenticator authentication-profile-name ARBITER
set protocols dot1x authenticator interface ge-0/0/0-47 supplicant multiple
set protocols dot1x authenticator interface ge-0/0/0-47 mac-radius
set protocols dot1x authenticator interface ge-0/0/0-47 mac-radius restrict

set system services dhcp-security
set system radius-server 10.10.10.10 dynamic-request-port 3799

Wireless — 802.1X SSID

Juniper Mist (the wireless line) is cloud-managed. RADIUS configuration is in the Mist dashboard under Organization -> WLAN Templates -> RADIUS Authentication. Field-for-field equivalent to the wired settings: two server entries, shared secret, 1812/1813, CoA enabled.

Mist dashboard:
  Organization -> WLAN templates -> RADIUS authentication

Server 1: 10.10.10.10  Port: 1812  Secret: ARBITER_PSK
Server 2: 10.10.10.11  Port: 1812  Secret: ARBITER_PSK
RADIUS accounting:        enabled (1813)
Coa/Disconnect message:   enabled (3799)

Guest SSID — open with captive portal redirect

Open SSID with MAC authentication and a Mist or RADIUS-supplied redirect URL. On EX, guest-vlan + captive-portal package on the SVI handles the redirect.

set services captive-portal interface ge-0/0/0.0
set services captive-portal default-policy redirect-url https://acme-7f3-guest.arbiter.ie/
set protocols dot1x authenticator interface ge-0/0/0 server-fail vlan-name GUEST-HOLDING

DHCP relay to Edge

JunOS forwarding-options.

set forwarding-options dhcp-relay server-group ARBITER 10.0.0.5
set forwarding-options dhcp-relay server-group ARBITER 10.10.10.10
set forwarding-options dhcp-relay server-group ARBITER 10.10.10.11
set forwarding-options dhcp-relay group ACCESS active-server-group ARBITER
set forwarding-options dhcp-relay group ACCESS interface vlan.10

AAA dead-server detection

Optional but recommended. JunOS retry / timeout is per-server. Configure so each server is declared dead after roughly 30 seconds across four attempts, then held dead for 3 minutes before retrying. Combined with the access-profile server order, failover lands inside the supplicant's normal retry window.

! 1. ~30s across 4 attempts before declaring the server dead
set access radius-server 10.10.10.10 timeout 8 retry 4
set access radius-server 10.10.10.11 timeout 8 retry 4

! 2. Hold the dead flag for 3 minutes before retrying
set access radius-server 10.10.10.10 dead-time 3
set access radius-server 10.10.10.11 dead-time 3

CoA listener

Enabled by the dynamic-request-port and a configured RADIUS dynamic-request server entry.

set system radius-server 10.10.10.10 dynamic-request-port 3799
set system radius-server 10.10.10.11 dynamic-request-port 3799