Sanjoy Dey, VP Product Manager, Juniper Networks

Introducing Juniper Mist Access Assurance (NAC)

WirelessAI & ML
Sanjoy Dey Headshot
Image showing a slide from a presentation at Juniper’s Tech Field Day, the title of the slide is “NAC Today – Functional & Architectural Complexity”

Juniper introduced the first cloud-native access assurance service driven by Mist AI at Mobility Field Day 9. Discover how Juniper Mist Access Assurance combines full network access control (NAC) and policy enforcement to simplify network operations.

Show more

You’ll learn

  • Different NAC use cases

  • How to troubleshoot at scale

Who is this for?

Business Leaders Network Professionals


Sanjoy Dey Headshot
Sanjoy Dey
VP Product Manager, Juniper Networks

Guest speakers

Slava Dementyev
Product Manager, Juniper Networks


0:10 exactly about a year ago we came and talked about iot Assurance One of the

0:15 solutions that allows you to do Cloud scale ppsk with unmatched visibility key life cycle management policy traffic

0:22 engineering at that time we also showed you a very sneak preview of what we were building

0:28 up to and I'm really super stoked and excited to be here uh to launch the

0:33 missed access Assurance solution as you heard from Tom uh it came about from the

0:39 white sand acquisition that Juniper did back in 2021 but last year we said we were going to be intentional about

0:46 integrating it the right way do it the right way and I'm happy to be here

0:52 saying that we have actually done it accomplished it I'm going to turn it over to Slava Slava has been one of the

0:58 product Champions and and uh and a lead on the product team uh that has carried

1:03 that Vision forward up until up until this stage and I'm going to be slava's able-bodied assistant for the next 45

1:10 minutes so take it away Slava so I'm Solomon part of the junior premise

1:15 product management team and today we're going to talk about Knack before we will start talking about hack we will

1:22 actually talk about some history and what you'll see is the time chart and we will talk about how Knack evolved over

1:29 in the past well almost 20 years and how at the same time different Mac use cases

1:34 have evolved right that's going to be important for uh you know how we got here moment basically so if we started

1:42 the early 2000s back then uh you know we only had corporate access use cases and

1:47 you see a laptop there but it's actually not a laptop it's supposed to be a workstation that we used to plug in uh

1:53 you know you know a wired word and back in the day back in the day Cisco ACS was

1:58 number one product right that was the AAA server that started all the way from authenticating dial-up modem users but

2:05 then when we look at 2007 we see iPhone introduction and then people started to

2:11 you know to want to get is guess what I buy access at the same time we see additional products coming out from

2:18 Cisco back in the day like not guess not profiler we see a mega pod doing the same thing to address that just access

2:25 use case to solve an intent we have BYOD we have iPad introduction at that time

2:31 people realize that oh actually we can bring our personal devices to work and to attend that we are working so byd use

2:38 case at this point we see Aruba acquires a megapodon event in the the guest

2:44 access byd solution and profiling solution and takes it over now 2011 this

2:51 is where you know there was an idea okay why don't we combine all these multiple

2:57 Standalone Solutions into one well welcome to Cisco ice in 20 2011 and

3:03 followed by clearpass in 2012 doing the exact same thing just combining the mega

3:08 bottle render and another double X service what we then see is around that same

3:15 time you see a new track we see a very slow start of cloud-based identity

3:20 Services right we see the emerging of azure ad and an OCTA Cloud directory of

3:27 services that's slow style but this is when it started and later on we see in

3:32 2015-ish we see the explosion of iot devices right but what we see at the top

3:40 really we see a lot of upgrades a lot of lots of features being added to the existing

3:45 products but fundamentally architecturally we don't see a lot of a change so that leaves us in here right

3:53 so this is where we are if you look at the left hand side you see that at

3:59 typical AAA server that you see today it over time the features have been added

4:05 uh all the integration have Integrations have been built on and they're all part

4:10 of the same monolithic single server architecture right so back scripting

4:16 feature dependencies grow it becomes harder and harder to maintain this within the same server if you then look

4:23 at the right hand side this is a typical Mac deployment at any scale you need to

4:29 deploy multiple server appliances or VMS that would do the heavy lifting the

4:34 offended education you'll need to have some clustering on top to manage the whole deployment and today this is

4:42 actually a customer problem to solve it's a design for redundancy for scale

4:47 or high availability and if you have you know a global

4:52 deployment with different Geo regions you need to think about latency you need to think about all of that

4:58 plus what about picture upgrades software patches security patches right

5:04 today that's a that's a typical uh Challenge and typical problem in an

5:10 active plan right and with all that today next Solutions are

5:17 alien to the network right they're an overlay Solutions most of the time there

5:22 is nothing that that exists within the network and then I've that could merge the Two Worlds together

5:28 so what do we do we will mystify an act

5:35 so we are solving all of these challenging challenges right we are

5:41 replacing that with Ms access Assurance service that is integral part of the

5:47 Miss Club it's native to the Miss Cloud it's tightly integrated into the network

5:52 and network operations it's microservices based it's Geo aware

5:58 and you know everything that you knew and loved about the Miss cloud is now extended to authentication Service that

6:05 we are that we're launching today let's actually go and take a look at the

6:11 demo switch to our demo it's

6:17 full screen now I said it's natively integrated into the

6:23 best cloud so voila what we have here is you see Wireless

6:29 you have wired and sd1 network operations we're now adding access

6:34 Assurance as a new service to actually happen full stack network operations you're

6:40 adding NAC and AAA Services right within that same Cloud interface now how do we how do we

6:50 configure it how do we use it one of the challenges we've seen traditionally with any existing

6:57 authentication Service is the complexity associated with configuration complexity

7:04 associated with a deployment typically that means you need to have an expert on the team that that understands all the

7:11 various vendors of radius how to integrate this with you know external identity sources all of that now all we

7:18 are doing is we're simplifying this into an authentication policy Builder that

7:25 gives you the flexibility but allows you to actually understand what you're doing

7:31 and allows you to read what you've done if you come back to this a year from now so what we're doing here is

7:38 on the left hand side we are matching on certain criteria and certain conditions so we're trying to identify what type of

7:45 device what type of user is trying to connect to our Network for example let's take a look at rule number seven we're

7:52 looking if it's a wireless user if the client is using CLS or certificate-based

7:57 authentication to connect if the certificate of that client is either issued by Juniper or another C

8:05 that we've specified here and that user is part of employee group in the

8:10 identity provider if all of these conditions match then we move to the right hand side and we're saying okay

8:16 what do we want to do with them we want to allow them on the network great we also want to move them to a specific

8:22 VLAN right that would be every line with a name that could also be a GBP tag if

8:29 you want to do a micro segmentation on top of that and we can assign a role right to apply a policy later on so

8:36 everything that you see here is driven from that one uh one screen how do you

8:43 assign those conditions is so we have a concept of labels that you could select

8:49 from the labels that you've already created before or you could create a label right from here for example you

8:56 may want to look at a specific Direct tree attribute maybe you just want to look at Finance users right so you could

9:04 select the label type directory attributes that group and just say I'm looking for

9:09 anything that matches Finance group that's it then you will go and select it

9:15 right from here easy now that's all great so how do we turn

9:22 this on for say our wireless network how we turn it on for

9:28 8.1 xssid so if we move over to a wireless template typically when you're

9:35 looking at configuring a DOT 1X subsidy you you need to go to your

9:41 authentication server so you need to add each and every radio server one by one

9:47 configure the right shared secret add each and every AP is the radius client that's tedious work

9:53 it's creating a lot of issues a lot of mismatches lots of you know customer

10:00 complaints and customer tickets what do we do with our service well we select based authentication Service

10:06 that's it it automatically programs all the EPS it automatically tells them how to reach

10:13 the authentication Service and that authentication will always be geoware so

10:18 you know depending on where the aps are they will always hit the uh the local authentication Service model okay

10:26 but second issue now

10:31 what about visibility so one of the things for us and when we say

10:39 you know we're launching and integrated uh clouds authentication Service into

10:46 the network we also want to have integrative experience when it comes to visibility so when we look at the client

10:52 insights we want to see okay how do you validate that the user is actually able to

10:59 authenticate or authorize and get on the network and be able to pass traffic

11:05 I don't want to jump between 10 different products 10 different screens I don't want to look at logs in this

11:11 place that place to find that out I want to look at a history of a specific user

11:17 connectivity experience and take a look at what's happening well what we've done is we've extended our wine insights our

11:25 the you know event stream that we've already had to so our access Assurance service so what

11:32 we are doing here is okay we are looking at all the historical connection stages

11:38 the client went through so client in this case it's using certificate to authenticate presenting its certificate

11:43 then it trusts the server certificate but then we are doing an IDP lookup in

11:48 this case we are using OCTA we're directly talking to OCTA to patch the user group membership information we

11:54 want to make sure that the user account is still valid all of these things right so we're getting all the roles from from

12:00 OCTA for this given user finally we're saying this client is allowed access to

12:07 our Network we're assigning a specific V1 we're assigning a role that we can

12:12 later on apply as a policy and then you can also validate all the uh all the

12:19 next stages of connection as the client actually goes onto the network gets the AP from the right from the right VLAN as

12:26 assigned by the Knack and is able to pass traffic right all everything in one

12:31 place but what you also see here is oh in this wine allowed access event I see

12:37 this all pro so if I click on it we're actually telling you okay this particular user

12:44 hit this specific authentication policy okay

12:50 so this is how we can uh we can integrate this event speaker

12:57 okay so you say that's that's all nice but you know things are working fine

13:02 what if things are not working quite as expected so

13:07 historically if we look at just you know events and data that we're

13:12 Gathering From what the peak can see on on the wireless side or what switch can see on the wired side if decline is

13:20 failing that when X authorization well we're saying we got the reject so we got it out of my

13:25 and then since we never control the other side we we had limited visibility

13:31 into that uh into that piece now with access Assurance under our control we

13:38 have the full picture right in this case we are actually seeing the client is failing to authorize because the client

13:44 doesn't have the server certificate that's it right this is our Stop Shop we're saying this particular user is

13:51 having a problem because it doesn't trust the server Circle go and fix the client configuration done

13:59 okay you would say that's all good but I don't want to go through all the events

14:05 and scroll through them and to find out what's what what was the issue it's fine let's go and maybe talk to

14:13 Marvis maybe let's try and find out you know is there a simpler way to troubleshoot

14:19 issues right so what we could do is we could try asking my list what was the

14:25 issue with say Slava oh last Thursday

14:33 okay oh there we go so immediately uh Marvis

14:40 went through all of the data we have it found the specific user that matches

14:46 specific username it went through all the events all the raw data that it showed us previously and now it can give

14:53 you an answer okay that particular client it had an authorization issues because

14:59 of the client sir that was that was expired at that time that's it

15:06 okay and obviously since we know we're

15:11 troubleshooting this on a per user basis the next logical step is how do we

15:16 expand this into marvelous actions how do we uh how do we troubleshoot things

15:22 at scale how do we find issues that are affecting groups of users how to how do

15:28 we find issues that are affecting maybe uh as a specific site or maybe you just

15:34 something as simple as let's find some persistently failing clients let's find

15:39 some top offenders that are continuously hitting our network with authentication requests and they're continuously failing so in this case we can just say

15:47 Okay this particular client is trying to uh trying to authenticate to to a

15:54 network all the time and it's continuously failing you know please please go and check or if you haven't

16:01 you know authentication failure at scale my resection will be able to grab this grab this where you find out and

16:08 highlight where you need to look at me so um Slava Raymond here I have several

16:13 peeping asking for uh on from the online community asking how about the integration or compatibility with eduro

16:23 at your own is work in progress we are you know we are we are planning to we

16:29 are planning to support the Jerome as of today we're still we're still

16:34 working on that so most likely by most likely by end of the year

16:41 excellent um uh Slava my questions are revolving around just the functionality

16:46 of putting Mac and radius into the cloud historically speaking that's been uh challenges around latency and then uh

16:53 availability in the event of an Internet failure how are you solving those problems

16:58 so there are two things there one is I'll I'll start from the latency or

17:04 first so we build a geoware service that means that if you let's say you have

17:10 sites in Europe and United States on East Coast and West Coast the aps from each Geo region will be

17:19 automatically redirected to the nearest authentication Service Port that we have

17:24 deployed right that that process is automatic this way you get the uh the best the

17:31 best latency actually the least the least latency when it comes to authentication yeah uh that's number one

17:37 that that also that also is true in case of let's say something happens to a

17:43 specific uh you know authentication Service Cloud say in uh United States on

17:50 the East Coast there is always another one to fail over to right so we are definitely taking this very very serious

17:56 from uh from a perspective that this is a mission critical service right because this is not that for example your AP is

18:04 not connected to the cloud well you're just losing management this is right in in the client data path right we we want

18:11 to make this right this is where the the architecture is very important well so I guess so I guess let's just

18:18 get right down to it right I've got a site that's on a crappy internet connection that has a 300 millisecond latency out to the internet how on Earth

18:25 are you going to expect them to authenticate in a reasonable amount of time if your radio services are on the other side of that connection do you do

18:31 any proxying on site do you know any caching do you do any anything at all to make that burden foreign

18:40 right now we are relying on the fact that we have Global we will have Global

18:45 presence right so we will uh have the uh the closest Sport near to you if you

18:51 have a crappy internet connection uh Define crappy right and like nowadays

18:58 we talked to when we talk to customers some of them have like three to five to

19:03 seven redundant internet connections internet connection is not one right because that's also the historical uh

19:10 historical thing when when you talk about radio specifically um latency people were thinking when

19:17 like npls and things like that because it sending this over to the data center in our case this is pure pure infinite

19:25 traffic the the other thing is our transport our authentication is done using redsec

19:33 so we are not we are not suffering from any uh MTU issues loss issues because

19:38 it's so it's all TC based rate we we control that that link and

19:44 so let's play that answers answer some of it okay thank you

19:53 is there another certificate uh you have to deploy down to the clients to trust your British environment

20:00 so uh by default we will use our own certificate that's signed by your uh

20:06 work like missed organization CA if you would like us to present your uh your

20:13 your certificate to to the client so you can import your custom server cert into

20:19 into the dashboard we'll just present that

20:24 the options and just to piggyback off Sam there's no

20:30 um way to have the access point in the event of an Internet failure or the access point just fail open or just kind

20:36 of accept all connections or kind of handle that but uh in in the in case of

20:44 Wireless there is no mechanism of fail open on that one actually unfortunately right unless you you host the radio

20:50 server somewhere uh so the answer is no so when when there is a loss of internet

20:56 connectivity the currently connected Appliance will stay connected and the clients that are roaming they will keep

21:02 roaming that's not changing only the new new connections would uh would be affected

21:08 at that point in case of the wired switching right in case of the wired

21:13 device is obviously there is a bail open out logic because you know wired allows us to do that there is also caching

21:21 caching option on the switch that you will you will be able to do but fail open is there

21:27 So currently the it's the first implement the first phase is this is just Wireless right wire is not here is

21:33 that correct but if wired is there why is there it should have actually showed

21:39 showed this so wired how do you think we configure wire points well you go to the

21:46 switch template and voila your authentication server is missed authentication same as with the uh well

21:52 you know uh with the wireless SSID right same thing we support this on the teams

21:59 we support this on uh ex which is that that we manage and then you would go to

22:05 your Port profiles you would create let's say a secure Port profile where you would enable that one accent map

22:12 you assign it so all of your front-facing ports and then at that point uh neck will decide which VLAN to

22:20 assign to to which client and which user based on its identity one more one more question

22:27 um will you offer this as a third-party service to other vendors as

22:32 well to other parties so what we are what we're doing is for

22:39 third-party infrastructure that that we are not managing directly uh we will we

22:46 will Leverage The this stage as the uh as the authentication proxy platform so

22:52 you what you will be able to do is say go to your message enable Miss

22:57 authentication proxy at that point you could Point your existing third-party

23:03 infrastructure to the main statues to your radio server from there mustache will take it over and send it to the

23:08 cloud and for for Authentication okay but that's going to be your your gateway your your you know

23:15 authentication proxy into effort party vendor okay and so follow up on that will there

23:22 be a certification for this as an education in the education path

23:32 oh great question so what we've actually done today I think it's or it must be

23:38 online now we've launched a new access Assurance course on the missed courses you should be able to see it now and it

23:46 should be assigned to everybody uh and yeah at some point definitely we will

23:51 you know we will take a take a look at the actual official certification

23:58 um so back to Sam's Point you're using missed edges as a authentication proxy

24:03 for third party why can't we do that with first party

24:08 that's that's all Sam's complain about about a good weak internet connection

24:14 okay so I'm not gonna you know commit to anything yet let's see so we are we're

24:22 we're looking at this product and we we have to be focused right so first we are

24:28 looking at the architecture we need to solve this architectural problem how to deploy this in the cloud so it scales so

24:36 you know it's it's reliable uh it's a reliable service then we add add features on top of that

24:45 okay and if I may just as a proxy is a proxy if I may just add one more Point

24:51 cover uh to uh to the question is basically uh Juniper switches uh missed

24:57 access points all support redsec natively right so it's fairly simple for us to put the architecture in where we

25:04 need natively terminate red side connections from our infrastructure what do we do for third party some of the

25:10 third party vendors do support red sex some don't that is why we mandatorily uh

25:16 commit to putting in a mistake over time as Slava kind of alluded to Mr stage

25:21 could be a caching proxy as well for all services but right now like to to Sam's

25:27 Point if you really have a flaky van link and like you know if you're if you have a van outage today if you in a

25:34 distributed like you know environment and fraction T1 lines you're really like

25:39 you know deep in the water uh with with with when uh issues in that case like

25:46 you know what would you do your only solution is to put caches like in a cache radio servers on

25:53 site correct in my instance I'm talking about a Dia circuit that's a 50 meg circuit from Charter that has well over

25:59 300 millisecond latency before it even leaves the Charter network I've already picked up about 300 milliseconds so I'm

26:06 not talking about Frac t1s or you know really old stuff ISDN lines right I'm talking about high bandwidth circuits

26:13 that are also High latent uh the only thing I will say now uh Sam is that in

26:18 in some of the pocs we have done uh there have been customers over the ocean

26:24 uh terminating their ad set connections like you know out into our our uh the

26:30 NAC service authentication Service without any perceptible latency uh I'm going to leave it at that and say that

26:36 in the future there might be some Evolution right thanks and and let me add to that so enjoy you

26:44 know we've actually uh we've actually tried this by you know doing uh doing

26:51 authentication from Australia since you know all the way to to the West Coast all the way to the East Coast with the

26:58 almost 400 millisecond DeLay So that authentication happens flawlessly every time I'm not worried about you yeah

27:06 just just you know wisdom uh was the latency part I'm not worried about the authentication happening I'm worried

27:12 about a voice over IP a voice over IP over Wireless client that's roaming from my AP to another AP that needs to go out

27:18 and re-off you know you do a 400 millisecond realm that's just garbage right

27:24 right yeah I agree uh just but you know for for roaming scenarios I think we're

27:31 slowly but surely moving to you know uh to 11 hour cases where you're bypassing

27:38 everything right so you authenticate once and then when you roam you skip you

27:43 skip all of that including poor way for the live thing on the missed Edge

27:49 when you're using as a proxy will that be something separate you or separate licensing method will be the same exact

27:55 pricing what it is right now uh the these Subs this is uh obviously this is

28:01 a service that will require a subscription the subscription will be based on the concurrently uh active

28:08 number of clients that we see over a week period and the only thing we're we are looking

28:13 at is really the number of uh client devices that they use in the authentication Service uh concurrently

28:22 I think some other question is that uh question from Ali is if you are using Mr just a proxy so today uh like you know

28:30 you're going to basically put in a message Appliance or a message container on-prem and uh like you know we offer

28:37 offer the appliance and and the VM uh there is no missed subscription as well

28:43 you did to all you need is the is the active concurrently active client subscription and by the way uh like you

28:49 know when we cover uh Slava is going to show us some progress on iot Assurance

28:54 okay I'm happy to say that it is the exact same subscription that will allow you not only ppsk based client uh device

29:01 onboarding but also now dot One X so everything is getting subsumed under the

29:07 access Assurance umbrella okay I have a quick question regarding the third party idps is it

29:13 fully integrated in the sense that it's leveraging that IDP as as the

29:18 authentication source in other words then it would tie into MFA and other capabilities on that IDP or is it really

29:25 just for User Group assignments things like that so there

29:31 yeah yeah I I got I got a question so so there are two two ways how we can

29:37 leverage idps today one is as I as I showed to get the group information you

29:42 know user account status and all the attributes that come with it the second is to use IDP as a authentication

29:50 provider in that case you would have to use something like iftttls to

29:56 authenticate uh users using their credentials saying that so for example

30:01 this will work with octaves will work with with Azure by authenticating user

30:07 credentials saying that if you look at the you know device OS developments you could see what the

30:14 Microsoft is doing with latest Windows 11 updates and enforcing

30:20 credential guard that actually blocking any form of uh password based authentication on that one X and VPN so

30:28 what we are seeing is it is a trend where everything is moving to certificates only

30:34 it's again it's slow train but it's it's starting to uh to show up but to answer

30:41 your question you could still use idps as authentication sources

30:47 so in terms of the policies how do I put this

30:53 um how stupid can I get because um I've got some policies right now that

30:58 are I have been told are pretty stupid um by uh by the ice consultant that that

31:05 helps me when I get in over my head um for example can I key in on

31:11 very like for example if I I might provision an InTune device with a

31:17 different certificate you know something different in the OU than a jamf managed device so that in my authentication

31:24 policy I can key off of that right these all look pretty simple I'm not seeing anything really like

31:30 I'm digging into fields and certificates and making policy choices based on those decisions

31:36 um is that functionality there so thank you for asking this question

31:41 the functionality is definitely in there so you can create a label again just a

31:46 condition you could look at virtually any certificate attribute you want to look at you can match on let's say a

31:54 subject to say if it's o u x y z then we're going to match on that use that as

32:00 your condition on the left and then apply different policy based on that this is very powerful we've been asked

32:06 about this by actually quite a lot of customers that are issuing different certificate subjects to different types

32:13 of devices or users so yeah definitely good to know that misery loves company

32:21 um I got one last question about this so um as far as my understanding is this is cloud-based directories right like Azure

32:27 OCTA and all that um just curious what if somebody doesn't have that and they only have just a

32:32 local active directories locally deployed certificate based servers and

32:37 all that kind of stuff is there some kind of agent or something again or can we use again miss proxy to somehow integrate the cloud radius with that

32:47 what we see is there are customers who would say I only have a local elective

32:54 directory and I'm using this today with my current radio server right but the

33:00 the next question would be oh what are you doing any single sign-on today and they'll say yeah yeah we have azure

33:06 uh okay hang on a second so you you actually are doing a hybrid Cloud

33:11 deployment model yes you're using your local active directory with your current radio server that's fine but all your

33:16 users are in fact already in azure we don't most of the time we don't need

33:21 to talk to the local ad because there's something in the cloud that's doing that's uh that has all the user records

33:29 uh saying that if you find that fourth case of at this point really like one couple of

33:36 percent of customers that have nothing in the cloud you could still uh you know

33:42 use secure ldap from from our from our Cloud to uh to your local directory to

33:50 to open it up that's that's the the answer I would get

33:57 and forgive me if I'm jumping ahead but um are you going to be able to discuss

34:02 uh Integrations with MDM platforms like you

34:08 know posture checks against an InTune or jamf or currently uh uh actively in progress so

34:18 what we are looking at this uh uh by bi-directional integration into uh MDM

34:24 providers initially there will be InTune and jmf Pro so the the idea is that we will

34:33 constantly communicate with uh with say InTune or or gmf and see if the if the

34:39 client devices the endpoint is in a compliant State uh what What's the

34:45 what's the enrollment status if it's a corporate device or if it's a BYOD device enrolled in the MDM all these

34:51 attributes right based on that you can apply your policies the key thing here is it's a bi-directional integration

34:58 that means that say something changes on the device after it's authenticated right for example somebody uh disables

35:06 firewall or forget forgets to update the antivirus then for example InTune

35:12 detects that this device is out of compliance there is a notification back to uh back to our Cloud at this point

35:19 we'll be able to act and and move the clients into say quarantine or disconnect it all together

Show more