Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configure Authentication Policy Labels

A network access control policy is a set of rules and guidelines for providing secure access to the devices that attempt to connect to a network. A policy consists of certain criteria that devices and users must fulfill to get access to the network and use network resources.

You can configure Juniper Mist Access Assurance with an authentication policy to enable Juniper Mist-managed devices to connect the clients to the network or applications.

Juniper Mist leverages "Labels" as policy matching criteria and the uses labels apply the relevant policy actions that specify permission. That is, when you create authentication policies, you can use the labels as:

  • Match criteria: A set of match criteria that must be satisfied to apply the policy rule.
  • Policy permit action: A set of actions to apply in case of a match—such as applying additional attributes (VLAN, role, and group-based policy tag).

Create Labels

You can create labels on the following pages:

  • Authentication Policies
  • Authentication Policy Labels

To create labels in the Authentication Policy Labels page:

  1. On the Juniper Mist portal, from the left menu, select Organization > Access > Auth Policy Labels.

    A list of existing labels, if any, appears.

  2. On the Auth Policy Labels, click Add Labels and enter the following details:
    • Label Name—Enter a unique name for the label. You can use up to 32 characters including alphanumeric characters and one or more of the special characters.
    • Label Type—Specify the label type. See the information in Table 1 to select the label type.
    Table 1: Parameters for New Label

    Label Type


    Role in Authentication Policy Rule

    AAA Attribute

    A group of user attributes that works as the match criteria and helps determine the policy action that specifies permission.


    • Role
    • VLAN
    • Realm
    • User Name
    • GBP Tag
    • Session Timeout
    • Custom Vendor Specific Attribute
    • Custom Standard RADIUS Attribute
    • Dynamic Wired Port Configuration

    Match criteria and policy permit action

    Certificate Attribute A group of user or device certificate fields used during authentication.


    • Common Name (CN)
    • Subject
    • Serial Number
    • Issuer
    • Subject Alternative Name (SAN)

    Match criteria

    Client List

    A list of MAC addresses or MAC Organizationally Unique Identifiers (OUIs) identified by wildcard values. Examples: 1122AA33BB44 or 11-22-AA-33-BB-44 or 11-22-AA*

    For devices that don't support 802.1X, you can use Client Lists to allow approved devices access the network.

    Match criteria


    SSID name used during user or device authentication, based on the incoming called station identifier attribute. You can combine multiple SSIDs in one label using comma-separated values.

    Match criteria

    Directory Attribute User group membership. The identity provider (IdP) provides user group information during user or device authorization.

    Match criteria

  3. Click Create to save your settings for the new label.
    The labels you create in this task become available for you to select as match condition or policy permit action when you create authentication policies.