Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Integrate Microsoft Entra ID as an Identity Provider

Microsoft Azure Active Directory (Azure AD), now known as Microsoft Entra ID, is an identity and access management solution. With Juniper Mist Access Assurance, you can integrate an authentication service into Entra ID by using OAuth to perform:

  • User authentication with Extensible Authentication Protocol–Tunneled TLS (EAP-TTLS)
    • Performs delegated authentication, that is, checks username and password by using OAuth.
    • Retrieves user group membership information to support authentication policies that are based on this user identity.
    • Gets the status—active or suspended—of an user account.
  • User Authorization with Extensible Authentication Protocol–Transport Layer Security (EAP-TLS) and EAP-TTLS
    • Retrieves user group membership information to support authentication policies that are based on this user identity.
    • Gets the status—active or suspended—of an user account

  • EAP-TTLS with Password Authentication Protocol (PAP)

    • Performs delegated authentication, that is, checks username and password by using OAuth or Resource Owner Password Credentials (ROPC).
    • Retrieves user group membership information to support authentication policies that are based on this user identity.
    • Gets the status—active or suspended—of an user account

Configuration in Entra ID Portal

To integrate Entra ID with Juniper Mist Access Assurance, you need the Client ID, Client Secret, and Tenant ID, which are values that the Entra ID portal generates.

  1. Use your credentials to sign in to the Azure portal and navigate to your AD.
  2. In Microsoft Entra admin center, from the left-navigation bar, select App registrations.
  3. Click New Registration.
  4. On the New Registration page, enter the required information in the following fields. Note that the following list displays sample user input and sample settings.
    • NameMist AA IDP connector
    • Supported Account Type—Select Accounts in this organization directory only (Juniper Networks Only - Single Tenant).
  5. Click Register to continue.
    The registered application page appears displaying information about the newly created connector.
  6. Note down the following details:
    • Application (Client) ID—You'll need to enter this information in the OAuth Client Credential (CC) Client ID and Resource Owner Password Credential Client ID fields on the Juniper Mist cloud portal.
    • Directory (Tenant) ID—You'll need this information for the OAuth Tenant ID field on the Juniper Mist portal.

    You will need to set up an identity provider (IdP) connector on the Juniper Mist portal:

  7. Click Add a certificate or secret on the same page.
  8. In the Clients and secrets page, click New client secret.
    The Add a client secret window appears.
  9. Enter the required information in the following fields and click Add.
    • Description—Provide description for the client secret.
    • Expires—Select expiry period for the secret.

    The system generates Value and Secret ID.

    Copy and save the information in the Value field in a safe location. Note that you'll see this field only once. That is, right after the secret ID is created.

    You will need this information for the OAuth Client Credentials Client Secret field on the Juniper Mist portal when you add Azure AD as an IdP.

  10. Select Authentication in the left-navigation bar and scroll-down to the Advanced Settings section. Select Yes for Allow public client flows.
  11. Select API permissions in the left-navigation bar.
    Under Microsoft Graph, add the following permissions:
    • User.ReadDelegated
    • User.Read.AllApplication
    • Group.Read.AllApplication
    • Device.Read.AllApplication

    Click Grant admin consent.

    You must give your application the required access permissions to use Microsoft Graph API to fetch information about users.

Configuration on Juniper Mist Dashboard

  1. On the Juniper Mist portal, from the left menu, select Organization > Access > Identity Providers.

    The Identity Providers page appears, displaying a list of configured IdPs (if any).

    Figure 1: Identity Providers Page Identity Providers Page
  2. Click Add IDP to add a new IdP.
  3. On the New Identity Provider page, enter the required information as shown below.
    Figure 2: Add Azure AD as Identity Provider Add Azure AD as Identity Provider
    1. Name—Enter an IdP name (For this example: Azure AD).
    2. IDP Type—Select OAuth.
    3. OAuth Type—Select Azure from the drop-down list.
    4. OAuth Tenant ID—Enter the directory (tenant) ID that you copied from the Azure AD application.
    5. Domain Names—Enter the domain name, that is, the user's username (For example: username@domain.com). The domain name field examines incoming authentication requests, identifying the respective username and associated domain. A connector uses the domain name that you set up to identify the Azure tenant the connector needs to communicate with.

    6. Default IDP—Check this option to get machine group memberships.

    7. OAuth Client Credential (CC) Client id—Enter the application (client) ID of the registered application in Microsoft Entra admin center.
    8. OAuth Client Credential (CC) Client secret—Enter the application secret that you created earlier on the Azure portal.
    9. OAuth Resource Owner Password Credential (ROPC) Client id—Enter the application (client) ID of the registered Azure AD application.

On the Juniper Mist portal, go to Monitoring > Insights > Client Events.

When Juniper Mist Access Assurance authenticates a user by using EAP-TLS with Azure AD, you can see the NAC IDP Group Lookup Success event as shown below:

Figure 3: Success Message for EAP-TLS Authentication by IdP Success Message for EAP-TLS Authentication by IdP

For EAP-TTLS authentication, you see the NAC IDP Authentication Success event. This event indicates that Azure AD has validated the user credentials. For this authentication, you also see the NAC IDP Group Lookup Success event that fetches user group memberships.

Figure 4: Success Message for EAP-TTLS Authentication by IdP Success Message for EAP-TTLS Authentication by IdP

EAP-TTLS Authentication with Azure AD and ROPC

EAP-TTLS leverages Resource Owner Password Credentials (ROPC) OAuth flow with Azure AD to authenticate users and retrieve user group information. You must consider several factors when you use a legacy authentication such as ROPC flow, which verifies only username and password and skips multifactor authentication (MFA).

  • You must configure the client devices with the correct wireless profile, either by using mobile device management (MDM) or a Group Policy Object (GPO). If you provide only username and password at the login prompt, legacy authentication fails to work for some operating systems.
  • The username that a user enters must be in the User Principal Name (UPN) format (username@domain).
  • You must configure clients to trust the server certificate.
  • Users must log in at least once to the Azure portal before attempting access using ROPC authentication. This step is important to test user accounts.
  • The Azure portal must store user passwords either in full cloud accounts, or in a local AD where password synchronization is enabled with Azure AD Connect. Federated Authentication users are not supported.
  • You must disable MFA for users who select ROPC authentication. One way to achieve MFA bypass for EAP-TTLS is to mark Mist Access Assurance Source IP addresses as trusted locations using following procedure:
    1. In the Microsoft Entra portal, go to Protection > Conditional Access > Named locations and select New location.
    2. In the New location (IP ranges), enter the details.
      Figure 5: Bypass MFA for Sign in from a Trusted IP Address Range Bypass MFA for Sign in from a Trusted IP Address Range
    3. Enter a name for the location.
    4. Select Mark as trusted location.
    5. Enter the IP range for Juniper Mist Access Assurance IP addresses.
    6. Click Create.
    7. In the Conditional Access MFA policy, refer the trusted IP sources as exclusion criteria.
      Figure 6: Exclude Named Location from Access Policy Exclude Named Location from Access Policy

See Also