Help us improve your experience.
Let us know what you think.
Do you have time for a two-minute survey?
Juniper Mist on US GovCloud addresses specific regulatory and compliance requirements of US government agencies at the federal, state, and local level; contractors; educational institutions; and other US customers that run sensitive workloads in the cloud. Currently, this environment is “In-process” on the FedRAMP marketplace for Impact level “Moderate”.
This page lists the Juniper Mist updates released on US GovCloud on September 20th, 2024.
We have added the following two columns to the switch list invoked by Marvis query:
To view these columns, run a Marvis query to list the switches by using the Ask a Question feature on the Marvis > Marvis Actions page, as shown below.
We have introduced OAuth 2.0 support for webhook authentication.
If you enable OAuth 2.0, the Mist cloud will act as the OAuth 2.0 client and will authenticate against an authorization server to get a token. The token will then be added to the Webhook Authorization Headers.
Mist supports the following two ways (Grant Types) of requesting access tokens from the customer system:
You can configure webhooks at the organization level (from the Organization > Settings page) or site level (from the Organization > Site Configuration page).
We have made the following enhancements to the autoprovisioning rules on the Organization > Settings page:
You can now subscribe to the client latency webhook to receive DHCP, DNS, and authentication latency information for the client devices at the site level. If you subscribe to this webhook, you will receive the site average, minimum, and maximum latency data in milliseconds for a 10-minute window at 10-minute intervals. To be able to use the Client Latency webhook, you need an active Marvis subscription. To configure the client latency webhook, select the Latency webhook topic on the Add Webhook window on the site configuration page (Organization > Site Configuration).
Here is a sample of the client-latency message. Values are in milliseconds.
{ "topic": "client-latency", "events": [ { "avg_auth": 337.46013, "avg_dhcp": 34.611873, "avg_dns": 37.067875, "max_auth": 1049.9762, "max_dhcp": 34.611873, "max_dns": 49.85943, "min_auth": 99.93066, "min_dhcp": 34.611873, "min_dns": 23.643397, "org_id": "9777c1a0-6ef6-11e6-8bbf-02e208b2d34f", "site_id": "978c48e6-6ef6-11e6-8bbf-02e208b2d34f", "timestamp": 1722517800 } ] }
You can now generate user API tokens from the Mist UI, in addition to the org API tokens which have been in the UI for several years. User API tokens contain authentication information and are bound to the specific user. It inherits the permission set of the user account. API tokens are used for API based access to the Mist platform. You can generate and manage API tokens tied to your account from the My Account page accessed from the user profile icon. User API tokens are not supported for SSO users. Instead, you will need to use a service account or org API tokens.
To create an API token from Mist portal:
Radio Resource Management (RRM) now assigns 6GHz radio bands with preferred scanning channels (PSCs) and non-PSC. Previously, RRM would assign the 6 GHz bands PSC only, unless the customer manually enables all channels. The channel assignment logic in 6 GHz bands for different channel widths is as follows:
Through lab testing and extensive deployment verification, we have determined clients generally discover non-PSCs effectively via out of band mechanisms such as reduced neighbor reports or 11k neighbor reports. For this reason, we are happy to amend our guidance around the use of 6 GHz non-PSCs. This should come as welcome news to Europe and areas with 500 MHz of 6 GHz spectrum.
Mist sends a reauthentication URL to users when the pre-shared key (PSK) to access their wireless network is about to expire. This URL helps users re-authenticate themselves and generate a new passphrase. You can now override this default URL with a custom URL, typically an SSO URL. You can enter the custom URL in the ‘Key Expiration Renew URL’ field on the PSK Parameters Tab on Add/Edit PSK Portal page (Organization > Client Onboarding > Add/Edit PSK Portal). If you configure a custom URL, Mist will include it in the notification email to let the end user know where to renew their PSK. The Key Expiration Renew URL field is displayed only if you select the Send Reminders option.
Here is a sample notification email:
We have improved the access point (AP) label creation workflow by adding an option to multi-select APs to be included in the label. This option is available on the AP label creation page at the organization level (Organization > Labels > Add Label) and site level (Site > Labels > Add Label). To select APs to be included in the label, click the + icon. The AP selection list at the site and organization levels includes a search filter which allows you to filter APs by MAC address or AP name. At the organization level, the AP selection list additionally includes an option to search for APs by specific sites or across the entire organization.
The multi-select option is also available on the New WLAN (Site > WLANs > Add WLAN) and AP details (Access Points > Access Point Name) pages where you select specific APs.
If you don’t want the guest portal users with sponsored guest access to see the email addresses of the predefined sponsors, you can configure the guest portal to hide those email addresses. To hide the sponsor email addresses, select the Hide Sponsor Emails check box on the Authorization tab of the Guest Portal Options page, accessed from the WLAN configuration page.
Mist Edges now support configuration of IPv6 addresses. On the Mist Edge configuration page, you can configure IPv6 addresses in the following sections:
On the Mist Edge Clusters Page, you can configure IPv6 addresses in the existing fields for:
The IPv6 support is also available for Mist Tunnels on the site configuration page (Organization > Site Configuration).
You can also view the IPv6 addresses on the Insights, Alerts, Marvis Query pages for:
The following image shows the Mist Edge configuration page with options to configure IPv6 addresses:
Mist Edges now provide an option to enter device-specific notes. You can use the notes to capture any additional information about the device.
The Mist Edge Inventory page now displays a firmware upgrade recommendation message for the Mist Edges that are running outdated firmware versions. The message that reads ‘Firmware Upgrade Recommended’ is displayed in the Status column of the Mist Edge Inventory page if a new Tunterm service version is available for upgrade. You can see the same status message on the Mist Edge details page as well.
The Mist campus fabric architecture supports configuration of IPv6 addresses for the following switch configuration elements:
Configuration elements like Networks have dedicated fields for IPv6 address configuration, as shown below.
Configuration elements like VRF support IPv6 addresses and IPv4 addresses in the existing IP address field. If you want to configure both IPv4 and IPv6 for such elements, you can save them one after the other.
You can now delete the following system-defined port profiles for switches: ap, iot, and uplink.
The delete function is available at the switch template level. You cannot delete the following system-defined port profiles: default and disabled. If you delete the ap, iot, or uplink profile that is used in an existing configuration, that profile will be replaced by the default profile.
To delete a system-defined port profile, open it from the Port Profiles tile in the Switch Template and then click the delete icon.
Juniper Mist provides an option to physically locate a standalone switch or a Virtual Chassis (VC) member switch. To locate a switch, click the Locate option on the switch dashboard. As a result, the LED on the selected switch blinks for a specified duration. In a Virtual Chassis, you can locate the primary, backup, or linecard members. Only one member can be located at a time. The following image shows the Locate option on a Virtual Chassis dashboard.
In a switch port profile that uses dot1x authentication, you can configure a timer that controls how often a client reauthenticates itself with the RADIUS server. The recommended value is 6 to 12 hours (21600 to 43200 seconds). The default value is 65000 seconds.
Mist provides an option to turn off remote shell access to the switches and gateway devices in an organization. This setting is available at the organization level. To turn off remote shell access, navigate to the Switch Management tile on the Organization > Settings page and then select Disable Remote Shell Access.
From a switch port profile, you can enable Rapid Spanning Tree Protocol (RSTP) edge on ports where clients that do not participate in RSTP are connected. An example of such clients could be a PC or a VoIP phone which is not supposed to send BPDUs. These ports are blocked by RSTP if they receive a BPDU from the end client. You should not enable RSTP Edge on the Uplink port. The RSTP edge replaces the base Spanning Tree Protocol (STP) edge in Mist. Mist supports the following RSTP link types at the organization and site template levels:
The port list on the switch dashboard displays the following additional columns to show information about the transceivers connected to the ports.
For troubleshooting purposes, you can download configuration logs from a switch via remote shell. To do this, use the download button provided at the upper right of the remote shell screen.
You can onboard, configure, and manage the SRX4300 firewall as a WAN Edge on the Juniper Mist portal. To onboard this device to Mist, use the Adopt WAN Edges workflow on the Inventory page (Organization > Inventory > WAN Edges). Once onboarded, the SRX Series device will be listed on the WAN Edges Inventory page and on the WAN Edges page (WAN Edges > WAN Edges).
Note that SRX4300, SRX1600, and SRX2300 devices must run Junos OS version 24.2R1.17 for Mist support.
In the image below, you can find the SRX4300 device listed on the WAN Edges inventory page.
Gateway Bandwidth SLE tracks the user minutes during which the gateway device bandwidth met or failed to meet a derived threshold. When the Gateway Bandwidth threshold is not met, Juniper Mist sorts the issues into the following classifiers:
We have added several enhancements to Application Path Insights to improve the user experience and provide additional path failover details. The key enhancement is a path state bar that shows path state information over a timeline. On the bar, path state events are indicated by segments highlighted in different colors (for example, path up events are shown in green and path down events in red). You can hover over the highlighted portions on the path to view a summary of path state events. If you click the bar, you get an events view which provides additional insight into the path state. The Application Path Insights enhancements also include a summary view of the recent path state events on the left of the screen. Also, the Policies drop-down list now includes active policies (which have seen traffic) and inactive policies (which have not seen traffic) for the selected time range.
You can now choose to view the health SLE data only for your custom applications. For example, if you have designated your Point of Sale (POS) devices as custom applications, you might want to view Application Health for only those devices. To do so, go to Monitor > Service Levels, and click the WAN tab. Above the SLE blocks, turn on Show Custom Apps to view the bad user minute data only for your custom applications. Turn off this feature to view data for all applications.
To help troubleshoot WAN Edge devices, we have enhanced the Session testing tool with options to view the session details and to delete the sessions if required.
In the Application Policy section on the WAN Edge device page, you can now view the hit count, which indicates the number of Application Policy events for each policy rule. This feature is available for SRX Series devices in this release. For SSR devices, you will see this feature in a future release.
Mist now provides an option to run a soft bounce port test on SSR ports. A bounce port test provisionally takes the port down and then brings it back up, causing a port state change within the device. Bounce port does not cause the external physical link to change. The connected devices will not see a link state change.
For WAN Edge devices, Application Health Service Level Expectation (SLE) metric provides RTT values associated with slow applications that caused bad user minutes. The SLE also provides the number of application disconnect events. You can view the RTT values, or the application disconnect data from the WAN Assurance SLE page (Monitor > Service Levels > WAN). To view the data, follow the steps below:
In the following picture, the Application Disconnects field indicates the bad user minute caused by application disconnect events; and the Disconnects field indicates the number of disconnect events observed during the time range displayed.
In the following image, the Slow Application value indicates the number of bad user minutes caused by slow application; and the RTT field shows RTT associated with the slow applications in seconds.
Mist now provides the following LTE graphs for Cellular Edge (Cradlepoint) devices:
You can view these graphs on the WAN Edge Insights page.
Mist now provides the following testing tools for the purpose of WAN Edge troubleshooting:
For a WAN Edge LAN interface, you can reserve a static DHCP address, if the interface has a DHCP server configured. Static DHCP IP address reservation involves binding a client MAC address to a static IP address from the DHCP address pool. You can also specify a maximum lease time for the DHCP addresses. Supported DHCP lease duration ranges from 3600 seconds (1 hour) to 604800 seconds (1 week).
You can create static reservations for LAN using the Add Reservation option in the Add DHCP Config window in the LAN configuration section of the WAN Edge template or the WAN Edge details page. The configuration includes a name, MAC address, and an IP address.
You can now view and revoke the DHCP lease on WAN Edge devices. The revoke option lets you release client devices from their current lease. To view the DHCP lease information, go to the Leased IPs window by clicking the hyperlinked values in the Leased IPs column in the DHCP Statistics section on the WAN Edge details page. The Leased IPs window displays the client devices (MAC Addresses or hostnames) along with the leased IP addresses and the lease expiry dates. On the Leased IP window, select a DHCP lease record and click the Revoke button to revoke the DHCP lease.
We have added a new WAN Edge port graph named Max Bandwidth. This graph provides insight into the highest point of link utilization recorded for RX and TX packets on each port during the day. The max bandwidth data is shown in bps. You can view the MAX Bandwidth graph in the WAN Edge Ports section on the WAN Edge Insights page.
Mist now seeks your consent to analyze the pattern of your interaction with the Mist portal with a view to improving user experience. The organization landing page displays a request for your consent each time you log in, until you accept or decline it. You can also see this request on the account registration page and on the My Accounts page (see below).