Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Self-provisioning for IoT and Personal Devices

Automate client onboarding at scale, for personal devices and IoT, with secure self provisioning.

Wireless users in environments like dormitories can securely self-provision their personal devices such as Xboxes, Apple TV, and Roku. Likewise, unattended IoT devices can securely and automatically join a specified VLAN, or network segment. We call this the Personal Network Experience. And because it eliminates the need for client MAC address registration and IT intervention, it is an ideal solution for providing Wi-Fi access at scale.

Self provisioning with the Personal Network Experience works by connecting a SAML-compliant identity provider (IDP), for example, Microsoft Entra ID, to the Mist Active Assurance portal. Users log on to the WLAN, where they are redirected to the single-sign-on service for authentication and authorization. Mist assigns authenticated users a personal preshared key (PSK) that is specific to both the individual user and/or the SSID. Using personal PSKs also enables micro-segmentation, which means you can have users connect to a specific VLAN according to their role or profile. The same is true for IoT devices; they can be automatically connected to a specific VLAN, a best practice for protecting against IoT take-over attacks.

In the Mist console, you can configure both the complexity of the required passphrase, and the frequency of key rotation.

Figure 1: Self-Provisioning Logon Screen WiFi interface showing SSID byod-net, passphrase 2FJACc!%, QR code, email and regenerate options, alongside three people working on a wooden deck with greenery visible.

During self-provisioning, laptop users can generate a unique passphrase, then copy and paste it into the portal when prompted. Or, if working from a mobile device, they can have the passphrase emailed to them. Generated passphrases expire after 24 hours.

Before You Begin

  • Obtain and activate a Juniper Mist™ Access Assurance subscription. For information about subscription management, see the Juniper Mist Management Guide.
  • In your Juniper Mist organization, configure at least one organization-level WLAN with Multi-PSK enabled (either local or cloud PSK options are fine). For help with WLAN configuration, see the Juniper Mist Wireless Assurance Configuration Guide.

  • In your IdP admin console, configure a SAML 2.0 app integration. Your PSK portal will integrate with this application to enable Single Sign-On (SSO) access to your portal users. You can use a wide variety of IdPs (such as Okta and Microsoft Azure), as long as they support SAML 2.0. For help setting up a SAML 2.0 app integration, see your IdP documentation.

    Copy the following information from your SAML 2.0 app integration, and save it so that you can use it to set up your PSK portal in Juniper Mist.

    • Signing Algorithm

    • Issuer ID (this key may vary, for example, in Okta, this value is called Identity Provider Issuer and in Azure, it's called Azure AD Identifier.

    • SSO URL (this key may vary, for example, in Okta, this value is called Identity Provider Single Sign-On URL and in Azure, it's called Login URL.

    • Certificate—Copy the full text of the certificate, from the BEGIN CERTIFICATE line through the END CERTIFICATE line.

Configure Self-Provisioning

To set up client onboarding with a BYOD PSK Portal:

  1. From the left menu of the Juniper Mist portal, select Organization > Access > Client Onboarding.
  2. Click Add PSK Portal at the top-right corner of the Client Onboarding page.
  3. In the Add PSK Portal pop-up window, enter a Name, select BYOD (SSO) as the portal type, and then click Create.
  4. On the Portal Settings tab of the Edit PSK Portal window:

    • Keep the default layout options, or make changes to customize the sign-in screen.

    • Copy the PSK Portal URL so that you can provide it to your users.

    s070676.png
  5. On the Portal Authorization tab of the Edit PSK Portal window:

    • Enter the Issuer, Signing Algorithm, SSO URL, and Certificate that you copied from your app integration in your IdP admin console.

    • Select a Name ID Format. Most people use the e-mail address for the name ID. If you use a different identifier for your IdP user accounts, select Unspecified.

    Edit PSK Portal configuration window with Portal Authorization tab selected, showing required fields with red exclamation marks. Error message: SSO Issuer is required. Fields include Issuer, Name ID Format, Signing Algorithm set to SHA256, Certificate, and SSO URL with copy button. Buttons include Delete, Save, and Cancel.
  6. Copy the Portal SSO URL.
  7. Open a separate browser window, and complete these steps to finalize your SAML 2.0 app integration:
    1. Navigate to your IdP admin console.
    2. Go to the settings for your SAML 2.0 app integration.
    3. Enter the copied value into the appropriate field to identify your Juniper Mist PSK portal to your IdP. For help, see your IdP documentation.
    4. Save the changes.

    Your IdP might have different names for the field where you need to paste the Portal SSO URL. Consider the following examples, and see your IdP documentation for help.

    Okta Example

    In this example, the Portal SSO URL from Juniper Mist is copied into the appropriate fields in the Okta Admin Console.

    Configuration screen for SAML settings with consistent URL across Portal SSO URL, Single sign on URL, and Audience URI fields.

    Microsoft Azure Example

    In this example, the Portal SSO URL from Juniper Mist is copied into the appropriate fields in the Azure Admin Console.

    Configuration screen for Basic SAML setup in Azure Active Directory, showing repeated use of the URL https://api.mist.com/api/v1/pskportal/ in Portal SSO URL, Identifier Entity ID, and Reply URL fields.
  8. Return to the Juniper Mist portal.
  9. On the PSK Parameters tab of the Edit PSK Portal window:

    • Select the SSID (required).

      Note:

      The list includes only SSIDs for organization-level WLANs that have Multi-PSK enabled.

    • Adjust the optional settings as needed. For example:

      • Specify a VLAN ID if you want the users of this portal to be assigned to a particular VLAN. To use this option, you must enter a VLAN that is included in the VLAN list for the WLAN.

      • Set the Passphrase Settings to enforce your policies for password complexity.

      • Adjust the PSK Validity options to set the expiration period and to send reminders before key expiration.

        If you enable the option to send reminders, Juniper Mist sends users an email when their PSK is about to expire.

        The email includes either the default reauthentication URL or your Key Expiration Renew URL (if you enter one). This is typically an single sign-on URL (for example, using your corporate identity provider URL through Okta or Microsoft Azure).

      • Under Max Usage, you can limit the number of devices that can connect to your portal.

      • Under Role, you can specify a role to limit access to certain types of user accounts (using the roles that you set up for your IdP user accounts).

    Configuration interface for editing a PSK Portal, including fields for SSID, VLAN ID, passphrase settings, PSK validity, expiration renew URL, max usage, role assignment, and save, delete, or cancel options.
  10. Click Save at the bottom of the Edit PSK Portal window.
    Note:

    The button is unavailable until you enter the required settings on the various tabs. The required settings are labeled in red type.
  11. Verify that your portal works as expected by going to the PSK Portal URL that you copied from the Portal Settings tab of the Edit PSK window.
  12. Provide your users with the PSK Portal URL so that they can connect to your portal.
    Tip:

    Create a CNAME in your DNS to create a more user friendly URL that is associated with your domain.

    Users can follow the on-screen text to onboard their devices.