Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Certificate-Based (EAP-TLS ) Authentication

When you set up a wireless or wired connection, an important step is to configure secure network access. With Juniper Mist Access Assurance, you can set up an authentication method using 802.1X.

Extensible Authentication Protocol–Transport Layer Security (EAP-TLS), one of the protocols that support 802.1X authentication, verifies both client and server certificates at each point of the communication path. This authentication method uses trusted digital certificates to validate users and provide seamless network access.

In the following tasks, you configure certificate-based EAP-TLS authentication on the Juniper Mist cloud portal. With this configuration, you can provide access to all clients that present trusted certificates in a wireless or wired network.

Prerequisites

  • You must obtain digital certificates, that is source X.509 certificates, from certificate authorities (CAs), which are trusted third parties, or generate the certificates internally.

  • You must configure the client device as a supplicant that a RADIUS server can authenticate using 802.1X. You typically configure clients by using mobile device management (MDM) or group policies in production deployments.

  • Your network must have Juniper® Series of High-Performance Access Points to perform wireless client authentication.

  • Configure the public or private enterprise TLS-server certificate that the cloud RADIUS server will use.

  • Get familiar with the following procedures:

Configure Certificate-Based (EAP-TLS ) Authentication for Wireless Network

To set up certificate-based authentication in a wireless network using the Juniper Mist portal:

  1. Import a trusted root certificate authority (CA). Juniper Mist uses the CA-generated certificate as a server certificate.
    1. On Juniper Mist portal, click From the left menu of the Juniper Mist portal, select Organization > Access > Certificates. The Certificates page displays the list of already added certificates (if any).
      The Certificates page appears displaying the list of already added certificates (if any).
    2. Click Add Certificate Authority to import your certificate. If you've configured your public key infrastructure (PKI), import your root and intermediate CAs. See Use Digital Certificates.
      Once you import a CA, an authenticating server trusts any client certificate issued by this CA.
      Similarly, a client device validates a server certificate by verifying whether it is signed by a trusted CA that you've added.
  2. Create authentication policies.

    Without any authentication policies, the servers reject all attempts by clients to connect to the network. To allow connections from valid clients, you need to add appropriate rules to set up the authentication policies.

    1. From the left menu of the Juniper Mist portal, select Organization > Access > Auth Policies to create a new rule to provide access to clients with valid certificates. .
    2. Define an authentication policy with the following details. Select the required option for each field from the respective drop-down lists. The following list shows sample inputs.
      1. Name—Enter a name for the policy.
      2. Match Criteria—Select EAP-TLS.
      3. Policy—Select Allowed.
      4. Assigned Policies—Select Network Access Allowed.
  3. Configure the SSID.

    Wireless LANs (WLANs) are modular elements and each WLAN contains the configuration for a given service set identifier (SSID).

    1. From the left menu of the Juniper Mist portal, select Organization > Wireless > WLAN Templates.

      On the WLAN Templates page, either click an existing template to open its configuration page or click Create Template in the upper-right corner of the page to create a template.

    2. On the WLAN Templates page, click Add WLAN.
    3. Give the SSID a name. Typically, this name is the same as the WLAN name.
    4. Select an option for each of the following fields:
      • Security Type— Select Enterprise (802.1X). Additionally select either WPA2 or WPA3.
      • Authentication Server—MIST auth.
      • VLAN—Specify the type of VLAN the AP will use in the switch connection.
      Now the SSID configuration is complete.
    5. Click Create.
  4. On the WLAN Templates page, under Applies To, select either Entire Org or Site/Site Groups.

The following videos show how to configure certificate-based (EAP-TLS ) authentication for wireless networks.

Now your network is ready to securely authenticate clients by using EAP-TLS. The Juniper Mist cloud verifies the client certificates and grants access and authorization based on the authentication policy configuration.

You can view the associated clients on the Juniper Mist portal in:

  • Select Clients > Wired Clients to see client details
  • Select Monitor > Service Levels > Insights to view client events.

Configure Certificate-Based (EAP-TLS ) Authentication for Wired Network

To set up certificate-based authentication for a wired network by using the Juniper Mist portal:

  1. Import a trusted root certificate authority (CA). Juniper Mist uses the CA-generated certificate as a server certificate. See Use Digital Certificates for details.
  2. Create authentication policies.
    1. From the left menu of the Juniper Mist portal, select Organization > Access >Auth Policies.
      Create a new rule to allow access to clients with valid certificates. See Configure Authentication Policy.
      Define an authentication policy with the following details. Select the required option for each field from the respective drop-down lists.
      1. Name—Enter a name for the policy.
      2. Match Criteria—Select EAP-TLS.
      3. Policy—Select Allowed.
      4. Assigned Policies—Select Network Access Allowed.
  3. Configure the switch.
    1. From the left menu of the Juniper Mist portal, select Organization > Wired > Switch Templates.

      On the Switch Templates page, either click an existing template to open its configuration page or click Create Template in the upper-right corner of the page to create a template.

    2. In the Authentication Servers section, select Mist Auth as the authentication server.
    3. Scroll down to the Port Profile section and select:
      • In the Mode field, select Access.
      • Enable the Use dot1x authentication option.
    4. Assign the port profile to each port of the switch where the connected wired clients require network access.

      In the Select Switches Configuration section on the Port Config tab, click Add Port Range to associate a port profile with a port.

      Figure 1: Assign Port Profile to Port Ranges on a Switch Assign Port Profile to Port Ranges on a Switch
    5. Click Save.

For procedure on leveraging certificate attributes to create an authentication policy, watch the following video:

Now your network can use EAP-TLS to securely authenticate clients. The Juniper Mist cloud verifies the client certificates and grants access and authorization based on the authentication policy configuration.

You can view the associated clients on the Juniper Mist portal.

  • Select Clients > Wired Clients to see client details
  • Select Monitor > Service Levels > Insights to view client events.

Watch the following video to learn how to configure a Windows client device for EAP-TLS authentication for test or lab usage:

Watch the following video to learn how to configure an Android client device for EAP-TLS authentication for test or lab usage: