Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

How to Configure a RADIUS Proxy Server

This chapter provides information about configuring the Remote Authentication Dial-In User Service (RADIUS) proxy server for a Juniper Mist™ Edge appliance.

RADIUS Proxy Overview

In a Juniper Mist™ network, you can use access points (APs) as the source of Remote Authentication Dial-In User Service (RADIUS) Access-Request messages. With the RADIUS proxy feature, you can use your Juniper Mist Edge appliance as the source of RADIUS Access-Request messages instead.

It is impossible to add all the APs as individual clients in the RADIUS server in a large deployment scenario such as either of these:

  • Installation of a large number of Juniper Mist APs

  • Service set identifiers (SSIDs) with 802.1x authentication

When you set up a RADIUS proxy, instead of adding the APs as individual clients, you can use only one IP (the RADIUS proxy).

The RADIUS proxy acts as a server toward the wireless AP RADIUS clients and as a client toward the RADIUS servers.

Configure a RADIUS Proxy Server

Before you can configure a RADIUS proxy server to use in your Juniper Mist network, you must:

  • Claim Mist Edge and configure OOBM IP and Tunnel IP.

  • Configure Mist tunnels and map with Mist Edge cluster.

  • Configure WLAN with RADIUS authentication and forwarding to Mist tunnels.

The RADIUS proxy feature enables you to use a Juniper Mist Edge appliance as the source of RADIUS Access-Request messages instead of using the AP as the source. This means that you must configure the RADIUS server to allow the Juniper Mist Edge OOBM IP instead of adding individual APs as clients. Or, if you enable the tunnel IP as the source, you must configure the RADIUS server to allow the tunnel IP. These configuration options mean that you can bypass adding multiple individual APs to the RADIUS server for larger deployments.

Configure a RADIUS Server at the Organization Level

By default, a Juniper Mist Edge appliance is an Organization-level object. Juniper Mist access points (APs) from all sites can form tunnels with this object.

To configure a RADIUS server at the Organization level of the network hierarchy:

  1. In the Juniper Mist portal, navigate to Mist Edges > Mist Edge Clusters and select a cluster.
  2. In the Radius Proxy window, click the Enabled option button.
  3. Click Add server next to Radius Authentication Servers.
  4. Enter the Hostname and Shared Secret.
  5. Click the blue check mark to save settings.

    Radius Authentication and Accounting servers are in an ordered list. This implies that if the first server is not reachable, then the RADIUS proxy forwards the request to the next available server in the list.

  6. (Optional) Select the Enable Key Wrap check box to enable the keywrap. Select the Radius Authentication Server from the list, and enter the Key Encryption Key and Message Authenticator Code Key. This action enables additional fields of key type (select ASCII or Hex) and Key values.
  7. Repeat Step 2 through Step 6 for RADIUS Accounting Servers.
  8. (Optional) Select the Tunnel IP as Source check box, if you want RADIUS packets (and accounting) to originate with the source as Tunnel IP.
    Note:

    In this case the network-access-server (NAS) client on the authentication, authorization, and accounting (AAA) server is the Tunnel IP of Juniper Mist Edge. Otherwise, it would be out-of-band management (OOBM) IP.
  9. Click the Save button to save the RADIUS proxy settings to the Juniper Mist Edge cluster.
    You can configure the RADIUS server using the API, if you prefer. The following is the API payload.

Configure WLAN Affinity for RADIUS Servers at the organization Level

On a wireless LAN (WLAN), you use different RADIUS servers in your deployment based on the service set identifier (SSID) name. For example, your deployment may use a public RADIUS server for an SSID named eduroam but a different RADIUS server for all the corporate SSIDs. Juniper Mist Edge enables this flexibility in its RADIUS proxy service. You can configure this service to forward RADIUS access (or accounting) requests to a specific network access control (NAC), server-based client with a unique SSID.

To configure WLAN affinity for a RADIUS server:

  1. In the Juniper Mist portal, navigate to Mist Edges.
  2. In the Mist Edges Clusters pane, select an existing cluster or create a cluster.
  3. Configure the RADIUS proxy server by following the steps in the procedure titled Configure a RADIUS Server at the Organization Level.
  4. In the Radius Proxy window, select the Match SSID check box. A new SSID drop-down menu appears for each RADIUS Authentication Server and RADIUS Accounting Server.
  5. Select one or more SSIDs for this RADIUS server by clicking Add (+) below the SSID.
    Note:

    The drop-down menu shows the SSID with 802.1x or MAB authentication only. We recommend to configure unique SSID names across sites, if administration intends to use different RADIUS servers.
  6. Click the blue check mark to save the server settings.
  7. (Optional) You can repeat Step 5 and Step 6 for any additional RADIUS Authentication Server in the list.
  8. You can repeat Step 5 through Step 7 to configure WLAN affinity for RADIUS Accounting Servers.
  9. Click Save to save the RADIUS proxy settings for the cluster.
    You can configure WLAN affinity for the RADIUS server using the API, if you prefer.

    Following is the API and an example blob with the configuration. This configuration ensures that the Juniper Mist Edge receives RADIUS-related configuration information and starts the RADIUS proxy service.

Configure a RADIUS Proxy Server at the Site Level

Before you can configure a RADIUS proxy server at the site level, you must configure the Mist tunnels. If you have not configured the tunnels, do so now, before you proceed with the configuration task. Refer to Deploy Mist Edge at the Site Level .

To transition from a legacy architecture, or where sites are large enough to host a Juniper Mist Edge, you need a distributed deployment. In such instances, you can assign Juniper Mist Edge appliances to a site and configure tunneling and the RADIUS proxy service for the access points (APs) at the site.

To configure a RADIUS proxy server at the site level:
  1. In the Juniper Mist portal, navigate to Organization>Site Configuration and select a site.
    Site configuration window for the site appears.
  2. In the Radius Proxy window, click the Enable button to enable the RADIUS proxy server.
  3. Click Add Server.
  4. Configure the server details by entering values for Hostname, Port, and Shared Secret.
  5. (Optional) Select the Enable Key Wrap check box to enable the keywrap. Select the Radius Authentication Server from the list and enter the Key Encryption Key and Message Authenticator Code Key. This enables additional fields of key type (select ASCII or Hex) and Key values.
  6. [Optional] Select the Tunnel IP as Source check box, if you want RADIUS packets (and accounting) to originate with Tunnel IP as the source.
  7. Click the blue check mark to save your settings.
  8. Repeat Step 2 through Step 7 for RADIUS Accounting Servers.
    You can configure a RADIUS server at the site level using the API, if you prefer. The following is the API payload.

Configure WLAN Affinity for a RADIUS Server on the Site

On a wireless LAN (WLAN), you use different RADIUS servers in your deployment based on the service set identifier (SSID) name. For example, your deployment may use a public RADIUS server for an SSID named eduroam SSID but a different RADIUS server for all the corporate SSIDs. Juniper Mist Edge enables this flexibility in its RADIUS proxy service. You can configure this service to forward RADIUS access (or accounting) requests to a specific network access control (NAC), server-based client with a unique SSID.

Furthermore, if you use a Juniper Mist Edge appliance at the site level, you can configure a RADIUS server specifically for that appliance.

To configure WLAN affinity for a RADIUS server on the site edge:

  1. In the Juniper Mist portal, navigate to Organization>Site Configuration.
  2. In the Sites page, select a site from the list.
  3. Enable Radius Proxy for the Juniper Mist Edge proxy on the WLAN.
    To complete the procedure, refer to Step 3 in Configure a RADIUS Server at the Organization Level of the Network Hierarchy.
  4. To complete the configuration, enable 802.1x/MAB authentication on the tunneled WLAN and select the Mist Edge Proxy as RadSec server within the WLAN configuration.