Juniper Mist Access Assurance: Getting Started Guide.
Juniper Mist Access Assurance is a network admission control and access management platform built from the ground up eliminating the need of the typical NAC infrastructure components. This quick start guide will guide users through the steps from enabling Access Assurance to simple troubleshooting.
Read On
Step-1: Understanding use-cases
1. 802.1X (Cred & Cert based auth)
The Radius 802.1X authentication enables network operators to automatically authenticate and authorise a user or device and let them into the network. This works with the typical user and device management systems such as Azure Active Directory, Okta, JamF etc.
Certificate based authentication is recommended to future proof the configuration.
2. Non-802.1X (MAB / MPSK)
This use-case is helpful to onboard devices that do not support 802.1X. Typical devices are IoT devices like security cameras, temperature sensors etc. Also when it comes to wireless devices, in some scenarios like BYOD you want to avoid dealing with 802.1X client provisioning for unmanaged devices, and prefer other simpler onboarding mechanisms.
For such wireless devices Multi-PSK option can be used for wireless devices for both IoT and BYOD scenarios and MAB (MAC Authentication Bypass) option for wired devices.
Step-2: Enable Mist Authentication
For the wireless devices enable Juniper Mist Access Assurance from the WLAN Templates menu option. Select Security as “Enterprise (802.1X)” (either WPA2 or WPA3) and select Authentication Servers as “Mist Auth”
For Wired Clients, Authentication Servers is configured under Wired -> “Switch Templates” option.
Step-3: Configure certificates
Certificates section manages Trusted Certificate Authorities, as well as Mist Access Assurance Server Certificate configuration.
In order for EAP-TLS certificate-based authentication to work, you must add trusted Certificate Authority into the Mist dashboard, this will let Mist Auth service trust client certificates signed by added CAs.
Trusted CA Certificates can be added from the Organization -> Access -> Certificates -> Add Certificate Authority page.
CA Certificates can be directly pasted and system will automatically parse and decode imported CA cert. We recommend to add your Root CA, as well as all your Intermediate or Issuing CA certificates one by one.
Step-4: Configure Identity provider
Identity Providers can be used to either get additional identity context for clients authenticated via certificates or IDPs can also authenticate clients when they are using password based authentication via EAP-TTLS/PAP
Identity providers can be configured from Organization -> Access -> Certificates -> Identity Providers page. This step is optional for EAP-TLS (cert) authentication and it is mandatory in case of EAP-TTLS (credential based) authentication.
Identity providers serve as authentication source (in case of EAP-TTLS) and authorization source (by obtaining user group memeberships, account state etc) for EAP-TLS or EAP-TTLS.
Step-5: Create Policies
Auth Policies leverage labels to determine the identity signature of the client device in order to decide whether network access should be allowed, and which additional attributes (like VLAN, Role, GBP Tag) needs to be applied. Labels can be matching criteria or the actions that need to be performed after the match.
Labels can be created directly from the Organization > Access > Auth Policies page or from the Organization > Access > Auth Policy Labels menu. Click on “Add Label” to add a matching criteria or action.
You can match users or devices based on the following criteria:
Certificate Attributes (like common name, subject, issuer etc)
Directory attribute, i.e. user Group membership
List of MAC addresses or MAC OUIs. For non-802.1X capable devices you can leverage Client Lists to allow approved devices on the network. Examples: 1122AA33BB44 and/or 11-22-AA-33-BB-44 and/or 11-22-AA*
Location
After a user or device has matched a specific rule, you can assign following actions:
VLAN
GBP Tag
Role – leverage with Wireless policy or Switch policies
Auth Policies can be created from Organisation > Access > Auth Policies menu. New Rules can be added by clicking on the “Add Rule” option and choosing Match Criteria and Assigned Policies.
Step-6: Client visibility and troubleshooting
All client events from both the network side and Access Assurance site are under Client Insights.
In today’s evolving threat landscape, staying ahead of cyberattacks requires more than traditional security. Cato Networks elevates Extended Detection and Response (XDR) by integrating it into their SASE platform, delivering unified threat detection and proactive defence. Discover how this...