It looks like Juniper is following through on its promise to support NAC in its new EX LAN switches.

In Network World tests the switches demonstrated the ability to restrict authentication via 802.1x, which is considered the most secure and scalable method of NAC authentication. (Compare NAC products)

The test found that the switches can authenticate multiple or individual devices per port, to static or dynamically assigned virtual LANs (VLAN) or via dynamically applied access control lists.

In addition, the switches can authenticate based on media access control (MAC) addresses, which comes in handy for devices that don’t have 802.1x agents on them such as printers and IP phones.

Here’s exactly what Network World tester David Newman had to say:
“Considering Juniper's longtime advocacy of NAC, it's not surprising that the EX 4200 did well in our authentication tests. The switch passed all six scenarios, five of which used 802.1X. These tests examined authentication into a statically defined VLAN; authentication of multiple clients per port; authentication into a dynamically allocated VLAN; authentication with dynamically applied access control lists (ACL); and placement into a restricted VLAN upon authentication failure.

“In the ACL test the switch applied rules previously defined on the switch; this is far less cumbersome than the approach taken by some other switches, where ACLs must be entered into the RADIUS server then returned to supplicants during authentication.

“The switch also passed a sixth test involving authentication by a MAC address; this scenario represents the case where an end-station, such as a printer, lacks 802.1X supplicant software. One catch here was that the switch's CLI did not display clients currently authenticated by MAC addresses, as it did with 802.1X-authenticated clients. Juniper says it expects an August software release to remedy that.”

The full Network World review of the EX switches can be found here.

Tim Greene is senior editor at Network World.