Network device onboarding

Juniper EX

JunOS 21.x+

Applies to: Juniper EX 2300/3400/4300 on JunOS 21.x+. Configuration is committed in JunOS-set or hierarchical syntax; set-form shown here for copy-paste friendliness.

Examples assume two Edge appliances at 10.10.10.10 and 10.10.10.11, a tenant PSK shown as ARBITER_PSK and a guest portal URL of https://acme-7f3-guest.arbiter.ie/. Substitute your own values from the Arbiter portal.

For the universal context (architecture, AAA dead-server tuning, DHCP relay intent), see the Network devices overview.

Wired: RADIUS server, 802.1X and MAB

Access profile, RADIUS servers, authentication-profile, and per-port dot1x + MAC-radius.

set access radius-server 10.10.10.10 secret ARBITER_PSK
set access radius-server 10.10.10.10 timeout 2
set access radius-server 10.10.10.10 retry 1
set access radius-server 10.10.10.11 secret ARBITER_PSK
set access radius-server 10.10.10.11 timeout 2
set access radius-server 10.10.10.11 retry 1

set access profile ARBITER authentication-order radius
set access profile ARBITER radius authentication-server 10.10.10.10
set access profile ARBITER radius authentication-server 10.10.10.11
set access profile ARBITER radius accounting-server 10.10.10.10
set access profile ARBITER radius accounting-server 10.10.10.11

set protocols dot1x authenticator authentication-profile-name ARBITER
set protocols dot1x authenticator interface ge-0/0/0-47 supplicant multiple
set protocols dot1x authenticator interface ge-0/0/0-47 mac-radius
set protocols dot1x authenticator interface ge-0/0/0-47 mac-radius restrict

set system services dhcp-security
set system radius-server 10.10.10.10 dynamic-request-port 3799

Wireless: 802.1X SSID

Juniper Mist (the wireless line) is cloud-managed. RADIUS configuration is in the Mist dashboard under Organization -> WLAN Templates -> RADIUS Authentication. Field-for-field equivalent to the wired settings: two server entries, shared secret, 1812/1813, CoA enabled.

Mist dashboard:
  Organization -> WLAN templates -> RADIUS authentication

Server 1: 10.10.10.10  Port: 1812  Secret: ARBITER_PSK
Server 2: 10.10.10.11  Port: 1812  Secret: ARBITER_PSK
RADIUS accounting:        enabled (1813)
Coa/Disconnect message:   enabled (3799)

Guest SSID: open with captive portal redirect

Open SSID with MAC authentication and a Mist or RADIUS-supplied redirect URL. On EX, guest-vlan + captive-portal package on the SVI handles the redirect.

set services captive-portal interface ge-0/0/0.0
set services captive-portal default-policy redirect-url https://acme-7f3-guest.arbiter.ie/
set protocols dot1x authenticator interface ge-0/0/0 server-fail vlan-name GUEST-HOLDING

DHCP relay to Edge

JunOS forwarding-options.

set forwarding-options dhcp-relay server-group ARBITER 10.0.0.5
set forwarding-options dhcp-relay server-group ARBITER 10.10.10.10
set forwarding-options dhcp-relay server-group ARBITER 10.10.10.11
set forwarding-options dhcp-relay group ACCESS active-server-group ARBITER
set forwarding-options dhcp-relay group ACCESS interface vlan.10

AAA dead-server detection

Optional but recommended. JunOS retry / timeout is per-server. The servers are local Edge appliances on your LAN, so keep it tight: each server is declared dead after roughly 5 seconds across a couple of attempts, then held dead briefly before retrying. Combined with the access-profile server order, failover lands inside the supplicant's normal retry window.

! 1. ~5s across a couple of attempts before declaring the server dead
set access radius-server 10.10.10.10 timeout 2 retry 2
set access radius-server 10.10.10.11 timeout 2 retry 2

! 2. Hold the dead flag for 1 minute before retrying
set access radius-server 10.10.10.10 dead-time 1
set access radius-server 10.10.10.11 dead-time 1

CoA listener

Enabled by the dynamic-request-port and a configured RADIUS dynamic-request server entry.

set system radius-server 10.10.10.10 dynamic-request-port 3799
set system radius-server 10.10.10.11 dynamic-request-port 3799

Notes

  • 'mac-radius restrict' means the port only accepts the MAB MAC after RADIUS has authorised it; supplicant 802.1X traffic still flows first.
  • Mist (Juniper wireless) is configured entirely in the cloud dashboard and shares nothing structurally with EX CLI.

Verify the integration

Once the device is configured, validate against the Arbiter portal rather than the vendor's own RADIUS test tooling. Vendor tools confirm reachability but not policy outcomes. See the validation checklist on the overview page.

Need help?

Onboarding kit not behaving as expected? Email support@arbiter.ie with the device model, firmware version and the syntax you tried. We can usually identify the difference within a working day.

All network device guidesAll guides