Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Guest Access Using RADIUS Server with MAC Authentication Bypass

SUMMARY Enable this option if you want to leverage RADIUS-based portals for guest access.

First get familiar with the flow of guest access using RADIUS server with MAC Authentication Bypass (MAB). Then configure your WLAN. Finally, do additional RADIUS configuration for authentication policies and authorization profiles.

Flow of Guest Access Using RADIUS Server with MAC Authentication Bypass

  1. A WLAN is created in Juniper Mist with MAB being performed using RADIUS Lookup.

  2. When a client associates to this WLAN, its MAC address is sent to the RADIUS server using an ACCESS_REQUEST.

  3. The server looks for the MAC address in its database.

    • If the client is not found in the database, sends back an ACCESS_ACCEPT with a redirection URL to the Juniper Mist AP, and the flow continues with Step 4.

    • If the client is found in the database, the flow goes to Step 10.

  4. The client is provided with limited access to the network which includes access to the BOOTP, DNS, and RADIUS server.

  5. After the client receives an IP, the AP opens a web socket and listens to any HTTP traffic initiated from the client.

  6. Traffic is intercepted and is responded with the redirect URL that was sent by RADIUS server.

  7. The client is redirected to the specified URL. Based on your configured policy, it might be a sponsored portal, a self-registration portal, or a hotspot portal.

  8. After the client provides the necessary info, the client’s MAC address is installed in the database and a CoA (Change of Authorization) request is issued to reauthorize the client.

  9. Upon receiving the CoA request, the AP acknowledges the request and sends back the same ACCESS_REQUEST as in step 2.

  10. The client is available in the RADIUS server database and is provided with an ACCESS-ACCEPT without any restrictions of URL-Redirect and the client has network connectivity based on your configured policies.

WLAN Configuration

Create or edit a WLAN, enable MAB, and add your RADIUS server.
  1. Create or navigate to the WLAN that you want to set up with Guest Access using RADIUS Server with MAC Authentication Bypass.
    • For a template-based WLAN, navigate to Organization > WLAN Templates, click the template (or create a template), and then click the WLAN (or add a WLAN).

    • To select a site-specific WLAN, navigate to Site > WLANs, and then click the WLAN (or add a WLAN).

    For more information, see Configure a WLAN Template.

  2. In the Security section of the Create/Edit WLAN window, select MAC address authentication by RADIUS lookup and Guest Access with Mac Authentication Bypass.
    MAB Options in the Security Section of the WLAN Settings
  3. (Optional) Use the Allowed Subnets and Allowed Hostnames fields to specify resources that guests can access in the redirect state.
    If these fields are left blank, the RADIUS server is the only IP address that guests can access.
  4. Add your RADIUS server, as described in Enable WPA2/WPA3 Enterprise (802.1X) Security on a WLAN.
Complete the additional RADIUS configuration tasks below.

RADIUS Configuration

Configure RADIUS policies and profiles to support the authentication flow.

  1. Authentication Policy—Configure an authentication policy to “continue” if the user is not found in the database. This allows the client to get an IP and be placed in the redirect state.

    RADIUS Authentication Policy
  2. Authorization Policies: Configure two policies that will be hit during the process of the guest access flow.

    Authorization Policies

    • The first policy is Wifi_Redirect_to_Guest_Login, which applies when the RADIUS server receives the request. This policy provides partial access to the client. (See Steps 2-3 of the flow.)

    • The second policy is Wifi_Guest_Access, which applies upon successful completion of the CoA request. This policy provides the client with full access. (See Steps 9-10 of the flow.)

  3. Authorization Profile: Configure a RADIUS authorization policy as shown in the example below. This policy provides the redirect URL for Steps 6-7 of the flow.

    RADIUS Authorization Profile