Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configure Credentials-Based (EAP-TTLS) Authentication

Extensible Authentication Protocol–Tunneled TLS (EAP-TTLS) use username and password on the client side and server certificate on the server side to provide secure access.

The following tasks show you how to configure EAP-TTLS for wired clients. These authentication methods validate the username and password by using the credentials stored in the identity providers (IdPs).


  • You must integrate and configure an identity provider (IdP) with the Juniper Mist portal. See Add Identity Providers for Juniper Mist Access Assurance.

  • You must configure the client device as a supplicant. For this configuration, you must add the root-certificate authority (CA) certificate of the enterprise public key infrastructure (PKI) and enter the username and password in the IdP.

  • You need a Juniper Access Point to perform wireless client authentication (wireless client-specific task).

  • You must configure the public or private enterprise TLS-server certificate that the cloud RADIUS server will use.

Watch the following video to learn how to configure credential-based (EAP-TTLS ) authentication with Azure IdP Integration:

Configure Credential-Based (EAP-TTLS ) Authentication for Wired Network

To set up certificate-based authentication for a wired network using the Juniper Mist portal:

  1. Import a trusted root certificate authority (CA). Juniper Mist uses the certificate authority (CA)-generated certificate as a server certificate. See Use Digital Certificates for details.
  2. Create authentication policies.
    1. From the left menu of the Juniper Mist portal, select Organization > Access >Auth Policies.
      Create a new rule to allow access to clients with valid certificates. See Configure Authentication Policy.
      Define an authentication policy with the following details. Select the required option for each field from the respective drop-down lists.
      1. Name—Enter a name for the policy. (ex: TLS-Clients)
      2. Match Criteria—Select EAP-TTLS.
      3. Policy—Select Allowed
      4. Assigned Policies—Select Network Access Allowed.
  3. Configure the switch.
    1. From the left menu of the Juniper Mist portal, select Organization > Wired > Switch Templates.
      On the Switch Templates page, either click an existing template to open its configuration page, or click Create Template in the upper-right corner of the page to create a template.
    2. In the Authentication Servers section, select Mist Auth as the authentication server.
    3. Scroll down to the Port Profile section and configure the following settings:
      • Mode—Access
      • Enable the Use dot1x authentication option.
    4. Assign the port profile to each port of the switch where the connected wired clients require network access.

      On the Port Config tab, in the Select Switches Configuration section, , click Add Port Range to associate a port profile with a port.

      Figure 1: Assign Port Profile to Port Ranges on a Switch Assign Port Profile to Port Ranges on a Switch
    5. Click Save.

Now your network can use EAP-TTLS to securely authenticate clients.

The Auth Policy allows clients with a valid username and password to access the network.

The Juniper Mist cloud verifies the username and password against the credentials stored in the public credential provider and grants access and authorization based on the Label Configuration.

You can view the associated clients on the Juniper Mist portal.

  • Select Clients > Wired Clients to see client details
  • Select Monitor > Service Levels > Insights to view client events.