Juniper RADIUS-delivered switching filters

I’ve been experimenting with getting RADIUS to deploy switching filters to Juniper switches recently, as part of a reference architecture demo.  The concept is called REACH2020 and combines network virtualisation with the ability to identify network users and devices so that categories of user can be put into different virtual networks.   This leaves the firewall that connects the virtual networks together as a convenient single point of control.

Anyway, back to the matter in hand.  It turns out there’s a limit to the length of switching filter you can send a Juniper EX.

In this case, I am using Aruba Clearpass 6.6 to send some RADIUS attributes to a Juniper EX4300 switch using Junos 17.4.     What I need to do is send a web portal address that a connecting client will be redirected to, and a switching filter so that they can’t go anywhere other than the portal. The switching filter is required as far as I can tell – if you just send the portal address, Junos ignores the RADIUS attribute.

An alternative way of achieving this is to configure your centralised web authentication (CWA) web portal on every edge switch, but since RADIUS has to talk to the edge switches anyway, sending it in RADIUS attributes seemed more scalable.

Here is what works:

 

In line 5 I am sending a VLAN ID of 41 – this is my quarantine VLAN.  In line 6, I am sending the address of the onboarding portal that users need to go to in order to access the network.

In line 7, I am sending a switching filter to the edge port that does the following:

• Permits traffic to the portal so the client can authenticate
• Permits traffic to the DHCP server so the client can get an address
• Permits traffic to the DNS server so the client can look up the DNS address
• Allows broadcast packets for the purposes of DHCP (I’ve since found that this is not actually required)
• Permits UDP (thought I needed this for DHCP, but also not required)

If I amend this filter to add one more ‘Match Destination-ip x.x.x.x’ address to what is shown above, the filter no longer works.  I can see the RADIUS attributes being sent by Clearpass, but they are not implemented in the EX switch.

Removing the two things above that were not needed gave me the headroom to add the extra filter item.