Marvis

WAN Edge Negotiation Incomplete Marvis Action

This Marvis Action in the WAN Edge category detects instances of autonegotiation failures on WAN Edge ports. These issues are reported when a duplex mismatch occurs between devices due to the autonegotiation failing to set the correct duplex mode. To view the details about the affected port, click the WAN Edge Negotiation Incomplete action under the WAN Edge category. You can check the configuration on the port and the connected device to resolve the issue.

Wired Assurance

Automatic upgrade of linecard members in a Virtual Chassis

Juniper Mist automatically upgrades a Virtual Chassis linecard member if it is running a Junos version different from that of the primary member. The linecard member will be upgraded to the same version as the primary member if the following conditions are met:

• The switch must form a Virtual Chassis with three or more members—that is, a primary, a backup, and a linecard member.

• The Junos version on the linecard member is different from that on the primary member.

• The linecard member must be in Inactive state.
  Note that a linecard member will be upgraded only if it is inactive and running a clearly different Junos version. Minor differences, such as different spin numbers, will not trigger an upgrade.

• Only the Junos versions listed on the Mist portal are available for upgrade.

You can see the upgrade events in the Switch Events section on the switch Insights page.

Support for QFX5130-48C and QFX5130-48CM switches

Juniper Mist Wired Assurance now supports the QFX5130-48C and QFX5130-48CM switches that run Junos OS version 23.4R2-S5 or later. Wired Assurance simplifies all aspects of switch management that include device onboarding, configuration at scale, and monitoring and troubleshooting. With Wired Assurance, you get real-time visibility into the health and performance of your wired network. You can see how your switches are doing, check out service level expectations (SLE) metrics, and even get insights into the end user experiences, among other things.

For more information, refer to Juniper Mist Wired Assurance Overview.

Support for firewall filters and ACLs in Mist cloud

To ensure more granular control over network access, you can now set up access control lists (ACLs) for your Juniper Mist-managed switches, based on filter IDs defined on the RADIUS server. The firewall filters are configured in the form of policy labels and applied to switch policy rules. These labels are used to categorize and classify users (as sources) and resources (as destinations). In the source labels, you can include the Juniper-Switching-Filter attribute, a vendor-specific attribute (VSA) defined in the Juniper dictionary on the RADIUS server. Once created, these labels can be referenced in the switch policies to specify which users are allowed to access specific resources within the network. You can define the labels at the organization, site, or switch level. For more information, refer to RADIUS-Based Firewall Filters (BETA).

View the authentication status and method for a wired client

You can now view the following authentication information for a wired client:

• Authentication status—The status could be one of the following: Authenticated, Denied, Authenticating, and Held.

• Authentication method—Available methods are Dot1x, MAC Radius, CWA Authentication, Guest VLAN, Server-Fail, Server-Reject, Server-Fail Permit, Server-Fail Use Cache, and Fail.

To view this information for a client, navigate to the Front Panel section on the switch details page (Switches > Switch Name) and hover over the switch port to which the client is connected. You will find this information in the port list view as well.

You can also see this information on the list of wired clients (Clients > Wired Clients).

For clients that are denied access or are in a held state, a clickable button appears on the top left of the switch details page. You can click it to find more information about the status.

For more information, refer to 802.1X Features Overview and interface (802.1X).

WAN Assurance

Bandwidth Headroom SLE classifier for SSR

We have added the Bandwidth Headroom classifier to the WAN Edge Bandwidth SLE for SSR devices. This classifier is activated when bandwidth usage surpasses the SLE threshold. It indicates the percentage of time the gateway bandwidth SLE was not met due to exceeding the headroom threshold. The headroom is an estimated baseline of available WAN bandwidth, based on the highest usage over the past 14 days. The classifier triggers when current usage exceeds this baseline.

Low MTU detection on Cellular Edge WAN links

Juniper Mist now detects low MTU configurations on Cellular Edge WAN links. MTU (maximum transmission unit) refers to the largest data unit that can be forwarded through an interface without fragmentation. On a Cellular Edge WAN interface, an MTU of 1300 bytes or lower is considered low. When such a configuration is detected, Mist generates a Cellular Edge Event and displays it on the Cellular Edge Insights page. This feature helps you identify and prevent potential packet fragmentation along the WAN path.

Security

Juniper Mist achieves ISO/IEC 27017, ISO/IEC 27018 certifications and IRAP assessment at the PROTECTED level

We are excited to announce that Juniper Mist has successfully achieved compliance with ISO/IEC 27017 and ISO/IEC 27018 (scope extension to ISO/IEC 27001) international standards for cloud security and protection of personal data in cloud environments. Additionally, Juniper Mist has completed an IRAP (Information Security Registered Assessors Program) assessment at the PROTECTED level, demonstrating our commitment to meeting stringent Australian government security requirements.

These certifications demonstrate our ongoing commitment to implementing and maintaining robust security and privacy controls that safeguard our customers’ data in the cloud.

If you would like to request a copy of the certification reports or the IRAP assessment summary, please contact your Juniper account representative. Documentation can be shared under a non-disclosure agreement (NDA).

PCI DSS 4.0 compliance

Juniper Mist now generates PCI reports based on the PCI DSS 4.0, the latest version of the Payment Card Industry Data Security Standard (PCI DSS). This version emphasizes continuous security and introduces a more customized, risk-based approach to compliance.

PCI DSS is a common standard created to protect against credit card and payment data fraud in the retail space and other industries, like banking, where online payments are made. PCI DSS 4.0 went into effect for assessments in March 2022. You can generate the PCI report from Site > Wireless > Security page. The PCI reports based on PCI DSS 4.0 primarily cover the following areas:

• AP inventory for all sites where a VLAN is specified.

• Password policy enforcement, including:

  • Minimum password length requirement: 12 or 8 characters

  • Alphanumeric requirement for passwords

  • Session timeout setting of 15 minutes

Upcoming Changes

Enhancements to Network Admin user role

We are excited to share a few upcoming enhancements to the Network Admin roles in Mist. These updates are designed to improve the user experience and streamline operations and will be available in the upcoming feature release. They will not impose any limitations on existing functionality; instead, they optionally grant additional privileges to enhance administrative capabilities. 

What is changing? 

• We are introducing a new user role called Org Admin, which will have write access to all components within the Mist dashboard (both GUI and API) except for administrative functions such as: 

  • Creating or managing other admin users 

  • Modifying login and authentication settings 

And the existing Org scope Network Admins become Org Admins.

Org Admin will have read and write access to following pages on Organization menu:

• Updates to the Network Admin role (Site, Site Group, or All Sites): 

  • The Network Admin role will have an option to enable:

    • Write-access to site configuration pages within their respective scope via the Mist portal. 

    • Read-only access to organization-level templates.

  • No change to the existing site or site group Network Admins - a Super User can optionally grant the enhanced privileges.

  • Newly created Network Admin users default to having additional privileges listed above. Super User can optionally remove the additional privileges if needed.

Network Admins will have read and write permissions to site configuration, and read permissions to other pages on the Organization menu.

• The existing Network Admin (All Sites) users will appear as Org Admin in the Mist Portal. They will have access to view and modify organization-level templates as well as organization and site settings. This will bring uniformity in API and UI privileges.

API mappings for Network Admin and Org Admin users

Feature Deprecation

Unpaginated APIs responses to be deprecated

Currently, the following API requests return an unpaginated, full list of inventory devices.

• GET /api/v1/orgs/:org_id/inventory

• GET /api/v1/sites/:site_id/stats/devices

Starting in early 2026, these API requests will fetch paginated responses to limit the size of the response. By default, the API response will fetch the first 100 entries in the list. You can modify the number of entries in the response (range: 1 to 1000) by using the query parameter 'limit'.

Currently, if you query this API directly when you have more than 100 devices in your organization inventory, we recommend that you update the scripts to handle the paginated responses.

For more information, see Pagination.

Webhook topic asset-raw deprecated

We have deprecated the webhook topic asset-raw. This topic has now been replaced with a new topic named asset-raw-rssi. See the Webhooks section in https://api.mist.com/api/v1/docs/Site#webhooks.