Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

APPENDIX: Dynamic Client Authentication Using the Mist Authentication Cloud

In this section, we provide examples of how to authenticate wired clients using Juniper Mist Access Assurance and how you can repeat the testing performed in this JVD. First, ensure that your switch template uses “Mist Auth” in the authentication servers field as shown in Figure 1.

Then, you must create the RADIUS Authorization Policy Labels on the Organization > Auth Policy Labels page.

Figure 1: Authorization Policy Labels Location A screenshot of a computer Description automatically generated

Create labels for at least three GBP tags you want to assign:

  • First, create the new auth policy label:
    • Label Name=Cameras
    • Label Type=AAA Attribute

      This is used to indicate it’s used as a RADIUS message.

    • Port Network=GBP Tag
    • GBP Tag Values=100
    Figure 2: First New Auth Policy Label First New Auth Policy Label
  • Second, create this new auth policy label:
    • Label Name=IT-Department
    • Label Type=AAA Attribute
    • Port Network=GBP Tag
    • GBP Tag Values=200
  • Third, create this new auth policy label:
    • Label Name=Printers
    • Label Type=AAA Attribute
    • Port Network=GBP Tag
    • GBP Tag Values=300

The resulting configuration of all three labels should look like the list shown in Figure 3.

Figure 3: Auth Policy Labels Auth Policy Labels

MAC Address-Based Client Authentication

When you intend to use MAC address-based client authentication, ensure that the switch ports where your clients are attached use the right port profile. In our case, we used the port profile=”vlan1099-mac-auth” and configured the switch ports as shown in Figure 4. Use port IDs appropriate for your environment.

Figure 4: Port Profile for MAC Address-Based Client Authentication Port Profile for MAC Address-Based Client Authentication

Next, create auth labels to identify the MAC addresses of your wired clients as shown in the following example:

  • Create a new auth label:
    • Label Name=MACclient1
    • Label Type=Client List as this is used to validate MAC addresses.
    • Label Values=<client1-MAC-Address>

Create other auth labels based on the above example for at least 3 MAC address-based clients. An example of the result is shown in Figure 5.

Figure 5: Example Auth Policy Label List Example Auth Policy Label List

Next, you must create various authentication policies on the Organization > Auth Policies page.

Figure 6: Authentication Policies Location Authentication Policies Location

In the example below, we want every client to get GBP tag1 (our “Printers”) assigned. Hence, the configuration looks like the following:

  • Auth Policy for the first client:
    • Name=Client1
    • Match Criteria=MACclient1 and MAB and Wired
    • Policy=Pass
    • Assigned Policies=Network Access Allowed and Cameras
  • Auth Policy for the second client:
    • Name=Client2
    • Match Criteria=MACclient2 and MAB and Wired
    • Policy=Pass
    • Assigned Policies=Network Access Allowed and Cameras
  • Auth Policy for the third client:
    • Name=Client3
    • Match Criteria=MACclient3 and MAB and Wired
    • Policy=Pass
    • Assigned Policies=Network Access Allowed and Cameras
Figure 7: Example Auth Policies List Example Auth Policies List

We have chosen to define one authentication policy per client because you can change the assigned policy for each client individually to assign and test with a different GBP tag.

Note:

When testing dynamic, MAC address-based authentication, there is a default time of 10 minutes before a re-authentication happens. When you change labels to test other combinations, 10 minutes might be too long to wait. In a lab situation, you can use the additional Junos OS CLI feature to shorten the reauthentication period. For example, to set a 60 second reauthentication period, use the following additional Junos OS CLI: set protocols dot1x authenticator interface vlan1099-mac-auth reauthentication 60.

After your clients are authenticated by Juniper Mist Access Assurance, you can check the GBP tag assignment. To do so, navigate to Clients > Wired Clients in the Juniper Mist portal.

Figure 8: Wired Clients Location Wired Clients Location

Identify the wired clients you have configured and click on Wired Client Insights.

Figure 9: Wired Client List Wired Client List

Below is an example of the first client events report. You can see which interface the new client connected through:

Figure 10: Wired Client Events List – User Authentication Wired Client Events List – User Authentication

The second event you would typically see is the NAC authentication itself. Below, you can see the authentication type, the Auth Rule that was found valid to be used and the final GBP tag that was applied as part of the dynamic authentication:

Figure 11: Wired Client Events List – NAC Client Access Allowed A screenshot of a computer Description automatically generated

IEEE 802.1X-Based Client Authentication

When you intend to use IEEE 802.1X-based client authentication ensure that the switch ports where your clients are attached use the correct port profile. In our case, we used the port profile, ”vlan1099-eap-auth” and configured the switch ports as shown in the example below. Use port IDs appropriate for your environment.

Figure 12: Port Configuration for 802.1x-Based Client Authentication A screenshot of a computer Description automatically generated

When testing, we wanted to be able to identify a minimum of three clients individually to be able to assign them different GBP tags dynamically. The approach chosen was to use EAP-TLS and determine the individual client by attributes of their client certificates stored on each supplicant. Which values you choose depends on the enterprise PKI you intend to use. In our case, we knew that each client has a different name in the Common Name attribute of the supplicant certificate. Hence, we used this field to create three client labels as shown in the example below:

  • Create a new authentication policy label by navigating to Organization > Auth Label and configuring the fields as shown in the following list:
    • Label Name=TLSclient1
    • Label Type=Certificate Attribute
    • Label Values=Common Name (CN)
    • Common Names Values=user01@example.net
Figure 13: Example Auth Policy Label for EAP-TLS Authentication Example Auth Policy Label for EAP-TLS Authentication
  • Create other labels based on the example above for at least three TLS clients as shown in Figure 14.
Figure 14: Example EAP-TLS Authentication Policy Label List Example EAP-TLS Authentication Policy Label List

Next, create various authentication policies on the Organization > Auth Policies page:

In the example below, we want every client to have the GBP tag1 (our Printers ) assigned. Hence, the configuration looks like the following:

  • Auth policy for the first client:
    • Name=Client1
    • Match Criteria=TLSclient1 and EAP-TLS and Wired
    • Policy=Pass
    • Assigned Policies=Network Access Allowed and Cameras
  • Auth policy for the second client:
    • Name=Client2
    • Match Criteria=TLSclient2 and EAP-TLS and Wired
    • Policy=Pass
    • Assigned Policies=Network Access Allowed and Cameras
  • Auth policy for the third client:
    • Name=Client3
    • Match Criteria=TLSclient3 and EAP-TLS and Wired
    • Policy=Pass
    • Assigned Policies=Network Access Allowed and Cameras
Figure 15: Example EAP-TLS Authentication Policies List Example EAP-TLS Authentication Policies List

At this point, if not already done, you must configure your enterprise PKI for the Juniper Mist authentication cloud:

  • Navigate to Organization > Certificates
Figure 16: Certificates Location in Mist GUI Certificates Location in Mist GUI
  • Click on the Add Certificate Authority button as shown in Figure 17.
Figure 17: Add Certificate Authority Add Certificate Authority
  • Paste the base64-encoded part of your enterprise PKI root CA in the Signed Certificate window.
Figure 18: Signed Certificate Window Signed Certificate Window

The result should look like this:

  • Now, click on Import Custom RADIUS Server Certificate:

  • Apply the following configuration:
    • Paste the content of the base64-encoded part of your enterprise PKI RADIUS server certificate key into the Private Key field.
    • Depending on your enterprise PKI, your RADIUS server certificate may need a password to open the encrypted key. If that is the case, provide this information here.
    • Paste the content of the base64-encoded part of your enterprise PKI RADIUS server public certificate into the Signed Certificate field.
  • Confirm the information in the populated property fields:
    • The common name should be a DNS FQDN.
    • Extended Key Usage=TLS Web server authentication
Figure 19: Example of Filled-in Import Custom RADIUS Server Certificate Fields Example of Filled-in Import Custom RADIUS Server Certificate Fields
  • Click Save.

Now, you can start to authenticate your EAP-TLS clients.

After your clients are authenticated by Juniper Mist Access Assurance, you can check the GBP tag assignment. To do this, navigate to Clients > Wired Clients.

Identify the wired client you have configured and click on Wired Client Insights:

First, check the certificate of the RADIUS server:

Next, you see the information about the client certificate from the supplicant that the RADIUS server checked for validation. Here, it is important to review the certificate attributes because we use them to identify a single client.

Then, you see the decision of the NAC system to allow network access for this client and which rule allowed it. The GBP tag assigned can also be reviewed: