Reset Search



KB44307 - Caveats of server-reject VLAN setting on QFX/EX Series Switches for EAP-TTLS Authentication between PPS and Pulse Secure Clients

« Go Back


Last Modified Date11/14/2019 6:43 PM

Configuring Fallback Options on QFX/EX Series Switches for EAP-TTLS Authentication between PPS and Pulse Secure Clients

The JUNOS server-reject VLAN setting on the switch is used to prevent accidental lockout for users who have entered incorrect login credentials. These users can be given limited LAN access.

Problem or Goal
Issue is that Pulse Client is trying to re-authenticate about every 5 seconds when in the server-fail VLAN. This does not happen when the customer connects using native supplicant.
The fallback configuration is complicated by the fact that the Pulse Secure Client and PPS server are using EAP-TTLS. EAP-TTLS creates a secure encrypted tunnel between the server and the end device to complete the authentication process. When the user enters incorrect login credentials, the RADIUS server sends EAP failure messages directly to the client through this tunnel. The EAP failure message causes the client to restart the authentication procedure, so that the switch’s 802.1X authentication process tears down the session that was established with the switch using the server-reject VLAN. You can enable the remedial connection to continue by configuring the following on the EX/QFX switch:

Enable the following setting on your EX/QFX switch.
  • eapol-block—Enable the EAPoL block timer on the 802.1X interface that is configured to belong to the server-reject VLAN. The block timer causes the authentication port access entity to ignore EAP start messages from the client, attempting to restart the authentication procedure.  NOTE:  The EAPoL block timer is triggered only after the configured number of allowed reattempts (using the retries option) on the 802.1X interface have been exhausted. You can configure retries to specify the number of times the switch attempts to authenticate the port after an initial failure. The default is three retries.

  • block-interval—Configure the amount of time that you want the EAPoL block timer to continue to ignore EAP start messages. If you do not configure the block interval, the EAPoL block timer defaults to 120 seconds.

When the 802.1X interface ignores the EAP start messages from the client, the switch allows the existing remedial session that was established through the server-reject VLAN to remain open.

These configuration options apply to single, single-secure, and multiple supplicant authentication modes. In this example, the 802.1X interface is configured in single supplicant mode.

Related Links
Attachment 1 
Created ByMike Condon



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255