MX64(W) and MX65(W) Security Appliances support port-based access polices using 802.1X. This feature can be leveraged for deployments where extra authentication is desired for devices that are connecting to the MX.
In the case of a teleworker device, these policies can be used to require authentication of devices before they are allowed to connect to a trusted VLAN that can access the corporate site-to-site VPN.
Access policies can also be used to provide an additional layer of security in remote sites where there is not staff to prevent users or employees from attempting to connect additional devices to the MX Security Appliance.
There are several different types of access policies that can be configured on an MX Security Appliance. It is important to understand the differences between these policies for appropriate configuration.
An open access policy does not require any authentication for a device connecting to the port.
The 802.1X authenticates connecting devices against the configured RADIUS servers by requiring credentials from the device.
Configuring a port for the MAC authentication bypass access policy authenticates devices against the configured RADIUS servers, using the MAC address of the device connected to the port. This access policy does not challenge devices for credentials.
MAC authentication bypass is an ideal choice for ports that have connecting devices that do not support 802.1X-based authentication.
The Hybrid authentication access policy leverages both the 802.1X and MAC authentication bypass authentication. A port configured for hybrid authentication will attempt to use 802.1X to authenticate the connected device to the configured RADIUS servers, but will failover to MAC authentication bypass if the connected device does not send any EAP traffic.
If attempts to authenticate a connected device using 802.1X and MAC authentication are unsuccessful, ports configured for hybrid authentication will continue to try to authenticate the device using both methods.
The device will be granted access if authentication is successful using either 802.1X or MAC authentication bypass.
MX access policies are configured from the Security Appliance > Addressing & VLANs page in Dashboard.
Begin by ensuring that VLANs are enabled in the Routing section of the Addressing & VLANs page.
This will reveal the Per-port VLAN configuration options, where we will configure our access policies.
To configure an access policy for a particular port, click on the port in the Per-port VLAN configuration table. Access policies can also be configured for multiple ports by selecting the desired ports using the check boxes and clicking the Edit button.
This will bring you to the Configure MX LAN ports menu. To configure the access policy:
Once the access policy has been configured for an MX LAN port, the Access policy column of the Per-port VLAN configuration table will update accordingly.