Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Juniper Mist Authentication Proxy: Third-Party Device Support

Follow these steps to use Juniper Mist Authentication Proxy to support end-client and management-user authentication into third-party devices such as Cisco IOS devices.

Overview

Juniper Mist™ Access Assurance supports end-client and management-user authentication into third-party devices by leveraging a Mist Auth Proxy application running on a Mist Edge platform.

Mist Edge is managed by the Mist Cloud and servers as a “gateway” for any non-Mist managed device that needs to:

  • Perform authentication of end-clients connecting to it (for example, a third-party switch, wireless LAN controller, or access point (AP)

  • Authentication management-users (for example, admin login to a firewall or switch CLI management interface)

To set this up, you'll add your third-party devices as RADIUS clients at the Mist Edge Cluster. The cluster wraps all authentication traffic into a secured RadSec tunnel and sends it to the Mist Access Assurance cloud.

Figure 1: Juniper Mist Edge as Auth Proxy—Flow of Connections Juniper Mist Edge as Auth Proxy—Flow of Connections

Design Considerations

  • Mist Edge can serve as authentication proxy from multiple sites; it is not required to have an edge per site.

  • For redundancy purposes, we recommend to install at least a few Mist Edges in different data centers or points of presense (PoP).

  • Mist Auth Proxy functionality is supported on all Mist Edge platforms. We recommend that you use a dedicated Mist Edge appliance (or VM) for Mist Auth Proxy and avoid combining Mist Auth Proxy with Tunterm or OCProxy functionality.

  • If you are using Mist Edge VM, note that you need only a single network interface and need ME-VM-OC-PROXY to unlock the Mist Auth proxy functionality.

About RADIUS Attributes

  • Based on the configured vendor, Mist Access Assurance automatically sends correct RADIUS Attributes in access-accept response to assign VLANs, roles (firewall filters) and session timeouts.
  • Leverage custom vendor-specific RADIUS attribute labels to send specific attribute back in case of any special use cases.

Add a Third-Party Vendor and Configure an Authentication Policy

  1. Mist Edge Cluster Configuration: Add your third-party vendor as a RADIUS client in your cluster configuration:
    1. From the left menu of the Juniper Mist portal, select Mist Edges.
    2. Under Mist Edge Clusters, click an existing cluster or create a new cluster.
    3. On the cluster page, under Radius Proxy, click Enabled.
    4. Set type as Mist Auth Proxy.
    5. Click Add Client.
    6. Enter the information for the new client:

      • IP Address

      • Shared Secret

      • Vendor

      • Site (optional)

      RADIUS Client Example
    7. Click the checkmark at the top of the New Client section to save your settings.
    8. Click Save at the top-right corner of the Mist Edge Clusters page.
  2. Resource Label: Add a label to identify your third-party vendor device as a resource that you can use later in your auth policies.
    1. From the left menu, select Organization > Access > Auth Policies.
    2. At the top of the Auth Policies page, click Create Label.
      Location of Add Rule and Create Label Buttons
    3. Enter the following information:

      • Label Name—Enter a descriptive label so that you'll recognize this third-party vendor device when you're using this label in your auth policies.

      • Label Type—Select AAA Attribute.

      • Label Values—Select Custom Vendor Specific Attribute.

      • Click Add Attribute, enter a Name and a Value, and then click Create.

      Label Example
  3. Auth Policy: Add a rule to identify the users who get authenticated by your third-party device.
    1. At the top of the Auth Policy page, click Add Rule.

      The new rule appears at the top of the rules, numbered. 1.

      New Rule on the Auth Policies Page
    2. Enter the information for this policy:

      • Name—Enter a descriptive name to identify the purpose of this policy.

      • Match Criteria—Click +, and then select the users or user groups that are authenticated by this vendor device.

      • Policy—Leave the green checkmark in place because you want to allow these users to access the resource.

      • Assigned Policies—Click +, and then select the label that you created for your third-party vendor device.

    3. Click Save at the top-right corner of the Auth Policies page.
  4. Add rules for additional vendors as needed.

    This example shows numerous rules for different purposes. You can hover over any resource or user label to see more information.

Configure your third-party vendor device to use Mist Edge as the RADIUS server.

Configuring Your Third-Party Vendor Device

Point your third-party vendor devices towards Mist Edge OOBM IP address as the RADIUS server.

If you're deploying multiple Mist Edges, add each Mist Edge as RADIUS server in failover or load-balance mode, depending on your third-party device support.

Example: Cisco IOS Device Configuration

Note: When verifying a login, always add the domain name for the user, such as

user123@company.net@10.148.2.21

Checking Login Records

As part of your verification process for your new auth policy, you can check the status of all login attempts on the NAC Clients page and the NAC Events page.

Figure 2: NAC Clients Page NAC Clients
Figure 3: NAC Events NAC Events