Juniper Cisco ISE User Manual

Cisco ISE and Juniper EX Switches for

Published

2021-02-03

802.1X-Based Authentication

Juniper Networks, Inc.

1133 Innovation Way

Sunnyvale, California 94089

USA

408-745-2000

www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in

the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks

are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right

to change, modify, transfer, or otherwise revise this publication without notice.

Cisco ISE and Juniper EX Switches for 802.1X-Based Authentication

Copyright © 2021 Juniper Networks, Inc. All rights reserved.

The information in this document is current as of the date on the title page.

ii

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related

limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)

Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement

(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you

agree to the terms and conditions of that EULA.

Table of Contents

1

About the Documentation | iv

Documentation and Release Notes | iv

Documentation Conventions | iv

Documentation Feedback | vii

Requesting Technical Support | vii

Self-Help Online Tools and Resources | viii

Creating a Service Request with JTAC | viii

How to Configure Cisco ISE and Juniper EX Switches for 802.1X-Based
Authentication

Configure Cisco ISE and Juniper EX Switches for 802.1X-Based Authentication | 10

iii

About This Network Configuration Example | 10

Overview | 10

Topology | 11

Step-by-Step Procedure | 12

Import the Juniper Wired Device Profile | 12

Add EX Switches to the Juniper Device Profile | 13

Create Authorization Profiles | 14

Create Endpoint Identity Groups | 18

Add Endpoints | 19

Create User Identity Groups | 20

Add Users | 21

Set Authentication Policies | 25

Set Authorization Policies | 27

Configure a Cisco ISE Policy to Enable Guest Access | 29

Configure a Colorless Port Using IETF Egress-VLAN-ID Attributes | 34

Configure the 802.1X Protocol on the EX Switch | 41

Configure Windows 10 | 42

Testing and Validation | 47

Verify IP Phone Authentication Status | 48

Verify Connections to Windows 10 Clients | 50

About the Documentation

IN THIS SECTION

Documentation and Release Notes | iv

Documentation Conventions | iv

Documentation Feedback | vii

Requesting Technical Support | vii

This Network Configuration Example (NCE) shows you how to configure Cisco Identity Services Engine

2.X (Cisco ISE) and Juniper EX switches for IEEE 802.1X-based authentication. Cisco ISE allows you to
import network device profiles in XML format, enabling integration with any IEEE 802.1X standard network
device. This example shows you how to import the Juniper network device profile.

iv

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation, see the product

documentation page on the Juniper Networks website at https://www.juniper.net/documentation/.

If the information in the latest release notes differs from the information in the documentation, follow the
product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts.
These books go beyond the technical documentation to explore the nuances of network architecture,
deployment, and administration. The current list can be viewed at https://www.juniper.net/books.

Documentation Conventions

Table 1 on page v defines notice icons used in this guide.

Table 1: Notice Icons

v

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Caution

Indicates a situation that might result in loss of data or hardware

damage.

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Indicates helpful information.Tip

Alerts you to a recommended use or implementation.Best practice

Table 2 on page v defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

Fixed-width text like this

Italic text like this

Represents text that you type.Bold text like this

Represents output that appears on

the terminal screen.

Introduces or emphasizes important

•

new terms.

Identifies guide names.

•

Identifies RFC and Internet draft

•

titles.

To enter configuration mode, type
the configure command:

user@host> configure

user@host> show chassis alarms

No alarms currently active

A policy term is a named structure

•

that defines match conditions and

actions.

Junos OS CLI User Guide

•

RFC 1997, BGP Communities

•

Attribute

Table 2: Text and Syntax Conventions (continued)

vi

ExamplesDescriptionConvention

Italic text like this

Text like this

< > (angle brackets)

| (pipe symbol)

Represents variables (options for

which you substitute a value) in

commands or configuration

statements.

Represents names of configuration

statements, commands, files, and

directories; configuration hierarchy

levels; or labels on routing platform

components.

variables.

Indicates a choice between the

mutually exclusive keywords or

variables on either side of the symbol.

The set of choices is often enclosed

in parentheses for clarity.

Configure the machine’s domain

name:

[edit]
root@# set system domain-name

domain-name

To configure a stub area, include

•

the stub statement at the [edit
protocols ospf area area-id]

hierarchy level.

The console port is labeled

•

CONSOLE.

stub <default-metric metric>;Encloses optional keywords or

broadcast | multicast

(string1 | string2 | string3)

# (pound sign)

[ ] (square brackets)

Indention and braces ( { } )

; (semicolon)

GUI Conventions

Indicates a comment specified on the

same line as the configuration

statement to which it applies.

Encloses a variable for which you can

substitute one or more values.

Identifies a level in the configuration

hierarchy.

Identifies a leaf statement at a

configuration hierarchy level.

rsvp { # Required for dynamic MPLS
only

community name members [
community-ids ]

[edit]

routing-options {

static {

route default {

nexthop address;

retain;

}

}

}

Table 2: Text and Syntax Conventions (continued)

vii

ExamplesDescriptionConvention

Bold text like this

> (bold right angle bracket)

Represents graphical user interface

(GUI) items you click or select.

Separates levels in a hierarchy of

menu selections.

In the Logical Interfaces box, select

•

All Interfaces.

To cancel the configuration, click

•

Cancel.

In the configuration editor hierarchy,
select Protocols>Ospf.

Documentation Feedback

We encourage you to provide feedback so that we can improve our documentation. You can use either
of the following methods:

Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the Juniper

•

Networks TechLibrary site, and do one of the following:

Click the thumbs-up icon if the information on the page was helpful to you.

•

Click the thumbs-down icon if the information on the page was not helpful to you or if you have

•

suggestions for improvement, and use the pop-up form to provide feedback.

E-mail—Send your comments to techpubs-comments@juniper.net. Include the document or topic name,

•

URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC).
If you are a customer with an active Juniper Care or Partner Support Services support contract, or are

covered under warranty, and need post-sales technical support, you can access our tools and resources
online or open a case with JTAC.

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User

•

Guide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

Product warranties—For product warranty information, visit https://www.juniper.net/support/warranty/.

•

JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week,

•

365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called
the Customer Support Center (CSC) that provides you with the following features:

Find CSC offerings: https://www.juniper.net/customers/support/

•

Search for known bugs: https://prsearch.juniper.net/

•

viii

Find product documentation: https://www.juniper.net/documentation/

•

Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/

•

Download the latest versions of software and review release notes:

•

https://www.juniper.net/customers/csc/software/

Search technical bulletins for relevant hardware and software notifications:

•

https://kb.juniper.net/InfoCenter/

Join and participate in the Juniper Networks Community Forum:

•

https://www.juniper.net/company/communities/

Create a service request online: https://myjuniper.juniper.net

•

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:

https://entitlementsearch.juniper.net/entitlementsearch/

Creating a Service Request with JTAC

You can create a service request with JTAC on the Web or by telephone.

Visit https://myjuniper.juniper.net.

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

•

For international or direct-dial options in countries without toll-free numbers, see

https://support.juniper.net/support/requesting-support/.

1

CHAPTER

How to Configure Cisco ISE and

Juniper EX Switches for 802.1X-Based

Authentication

Configure Cisco ISE and Juniper EX Switches for 802.1X-Based Authentication | 10

Configure Cisco ISE and Juniper EX Switches for

802.1X-Based Authentication

IN THIS SECTION

About This Network Configuration Example | 10

Overview | 10

Topology | 11

Step-by-Step Procedure | 12

Testing and Validation | 47

10

About This Network Configuration Example

This network configuration example (NCE) shows you how to configure Cisco Identity Services Engine 2.X
(Cisco ISE) and Juniper EX switches for IEEE 802.1X-based authentication.

NOTE: Juniper’s content testing team has validated and updated this example.

Overview

Cisco ISE 2.X comes with many pre-imported network device profiles, but it doesn’t come with one for
Juniper. Network device profiles specify how to handle MAC Radius, dot1x authentication, VLAN and ACL
assignment, and CoA features.

Cisco ISE allows you to import network device profiles in XML format, enabling integration with any IEEE

802.1X standard network device. This example shows you how to import the Juniper network device
profile, and configure settings to allow IEEE 802.1X-based authentication with Cisco ISE and Juniper EX
switches.

Topology

In this example, we use the following network topology:

11

Here’s more details about the hardware and software components used in this example:

RoleSoftware VersionDevice

Switch and AuthenticatorJunos 18.2R1-S1Juniper EX2300-C-12P

RADIUS Server2.4.0.357 Patch2-18080100Cisco ISE

Supplicant (MAC Radius)SIP/5.5.1.11526/22-Nov-16 15:05Polycom VVX 310 IP Phone

Windows 10 Professional

2018-08-22

Supplicant (Dot1x)All recommended patches as of

Supplicant (MAC Radius)N/ANetwork Printer

Supplicant (MAC Radius)0.6.18981Juniper Mist AP43

All users and endpoints are stored in the internal Cisco ISE database.

For external user database integration such as Microsoft Active Directory, LDAP and Certificate Based
Authentication, refer to the Cisco Identity Services Engine Administrator Guide, Release 2.4.

Step-by-Step Procedure

1.

Import the Juniper Wired Device Profile | 12

2.

Add EX Switches to the Juniper Device Profile | 13

3.

Create Authorization Profiles | 14

4.

Create Endpoint Identity Groups | 18

5.

Add Endpoints | 19

6.

Create User Identity Groups | 20

7.

Add Users | 21

12

8.

Set Authentication Policies | 25

9.

Set Authorization Policies | 27

10.

Configure a Cisco ISE Policy to Enable Guest Access | 29

11.

Configure a Colorless Port Using IETF Egress-VLAN-ID Attributes | 34

12.

Configure the 802.1X Protocol on the EX Switch | 41

13.

Configure Windows 10 | 42

Import the Juniper Wired Device Profile

Assuming you’ve got Cisco ISE up and running on your network, the first thing you’ll need to do is add a
Juniper EX switch device profile.

1. Download the latest Juniper EX Switch Device Profile for Cisco ISE (validated with Cisco ISE 2.7).

2. In Cisco ISE, choose Administration > Network Resources > Network Device Profiles.

3. Click Import and select the Juniper EX switch device profile you downloaded in step 1. Once you import

the Juniper network device profile, it will be listed in the Cisco ISE Network Device Profiles list as
Juniper_Wired.

Add EX Switches to the Juniper Device Profile

You can add your EX switches individually, or as an IP address range.

13

1. In Cisco CSE, choose Administration > Network Resources > Network Devices.

2. In the Network Device screen, select the Juniper_Wired device profile.

3. Give a name and IP address for your EX switch. If you are adding multiple EX switches, you can specify
an IP address range.

4. Specify a RADIUS password. You’ll need this later when configuring the EX switches.

14

Create Authorization Profiles

Authorization profiles allow you to apply different attributes to users or endpoints. You can change the
VLAN by name or by VLAN ID. You can also assign a firewall filter that you have already configured on
the switch. In this example, we create four authorization profiles:

Juniper_VoIP_VLAN_500

•

Juniper_VoIP_VLAN_100

•

Juniper_VoIP_VLAN_100_ACL

•

Juniper_VoIP_VLAN_100_dACL

•

The first profile sets the VoIP VLAN to 500 using the Juniper-VoIP-VLAN attribute.

1. In Cisco ISE, choose Policy > Results, then from the left pane, choose Authorization > Authorization
Profiles.

2. Name the profile Juniper_VoIP_VLAN_500.

3. Set the VLAN ID/Name to 500.

4. Click Add.

15

The second authorization profile sets the Data VLAN to 100 using the standard RADIUS attribute for
VLAN ID.

1. In Cisco ISE, choose Policy > Results, then from the left pane, choose Authorization > Authorization
Profiles.

2. Name the profile Juniper_VoIP_VLAN_100.

3. Set the VLAN ID/Name to 100.

4. Click Add.

16

The third profile sets the Data VLAN to 100 and applies a local firewall filter/ACL to the supplicant. This
firewall filter/ACL must already be configured on the switch. The firewall filter/ACL is applied using the
standard Filter-ID radius attribute. Enter the name of the local filter configured on the switch.

1. In Cisco ISE, choose Policy > Results, then from the left pane, choose Authorization > Authorization
Profiles.

2. Name the profile Juniper_VoIP_VLAN_100_ACL.

3. Under Common Tasks, set ACL (Filter-ID) to deny-all.

4. Set the VLAN ID/Name to 100.

5. Click Add.

17

The fourth authorization profile sets the Data VLAN to 100 and applies a dynamic/downloadable firewall
filter/ACL to the supplicant. This firewall filter/ACL is created dynamically, so you don’t need to configure
it locally on the switch. This authorization profile uses the Juniper-Switching-Filter attribute.

NOTE: The syntax and feature sets differ from regular Junos firewall filters/ACLs. Multiple

entries are separated by commas. See Juniper-Switching-Filter VSA Match Conditions and Actions
for information about the syntax.

18

Create Endpoint Identity Groups

Endpoints, such as IP Phones, can be grouped together in endpoint identity groups to make it easier to
apply common attributes, for example, VoIP VLAN.