cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1043
Views
0
Helpful
3
Replies

Guest redirection using a non Cisco Switch

dgaikwad
Level 5
Level 5

Hi Experts,

We are using a third party NADs (Juniper 4200EX) in our environment and want to work with wired guest redirection on these NADs.

Using the third party NAD profile provided by the community, I am able to get the following use cases working:

  1. dot1x
  2. posture
  3. VLAN change and assignment
  4. dACL assignment

I see that its not supported with the Juniper switch NAD profile and asking for to configure authentication VLAN for the same.

There are some queries with the this configuration:

  • Only one NAD profile could be used per NAD, then is there a way to keep the dot1x and guest redirection separate?
  • Would I need to make this change for the other NADs as well, which are working fine on a third party AND profiles from here?
2 Accepted Solutions

Accepted Solutions

Surendra
Cisco Employee
Cisco Employee
May i know what you meant when you said "I see that its not supported with the Juniper switch NAD profile and asking for to configure authentication VLAN for the same." ?

It looks like Juniper does support redirect-URLs and you can combine with firewall filter to restrict access just like Cisco switches use redirect url, redirect ACLs/dACLs.

Apparently you can use the JNPR_RSVD_FILTER_CWA filter, sent using the standard RADIUS Filter-ID attribute to limit the access and use Juniper-CWA-Redirect-URL VSA and set the value as the redirect URL.

More info here:
https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/nce160-aruba-guest-access-technical-overview.html

I personally have never tried this and this is me just trying to help.

View solution in original post

dgaikwad
Level 5
Level 5

It turns out that Juniper does not support CWA on 4200EX series of switches.

The tested switch from Cisco is 3200 series.

The list is provided below in the document from Juniper: here

View solution in original post

3 Replies 3

Surendra
Cisco Employee
Cisco Employee
May i know what you meant when you said "I see that its not supported with the Juniper switch NAD profile and asking for to configure authentication VLAN for the same." ?

It looks like Juniper does support redirect-URLs and you can combine with firewall filter to restrict access just like Cisco switches use redirect url, redirect ACLs/dACLs.

Apparently you can use the JNPR_RSVD_FILTER_CWA filter, sent using the standard RADIUS Filter-ID attribute to limit the access and use Juniper-CWA-Redirect-URL VSA and set the value as the redirect URL.

More info here:
https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/nce160-aruba-guest-access-technical-overview.html

I personally have never tried this and this is me just trying to help.

Jason Kunst
Cisco Employee
Cisco Employee
I would recommend working through the TAC as well. I am not sure of the issue exactly and need more detail. If the Juniper doesn’t support redirection you can look at the authentication VLAN feature.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01001.html#concept_CDD87F6FE3A54351B27FF35316A23DA3

The 3300 was tested to work, other comparable platforms should then work.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html#thirdpartyaccessswitches

when I google ise juniper guest found a lot of information, one that stood out is this one
https://community.cisco.com/t5/identity-services-engine-ise/integrating-a-juniper-switch-with-ise-2-3/td-p/3685582

dgaikwad
Level 5
Level 5

It turns out that Juniper does not support CWA on 4200EX series of switches.

The tested switch from Cisco is 3200 series.

The list is provided below in the document from Juniper: here

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: