Test Objectives

Test Goals

The testing for this JVD was performed with the following goals in mind. Consult the Test Report of this JVD for more information.

• All Juniper Mist Access Assurance supported authentication methods need to be tested:
  • PAP. Used for MAB.
  • EAP-TLS.
  • EAP-TTLS with PAP using a public IdP.
  • PEAP-TLS (Limited to Win 11 client)
  • TEAP-TLS (Limited to Win 11 client)
• All major authorization methods need to be tested depending on what the network access device supports:
  • Wired switch authorization methods.
    • Dynamically assign a single access VLAN for a client.
    • Dynamically assign multiple VLAN as trunk and one native (for an attached AP).
    • Assign a pre-configured ACL filtered by filter-ID.
    • Session-timeout.
  • Wireless AP authorization methods.
    • Dynamically assign a single access VLAN for a client.
    • Dynamically assign a Mist Role for a client that then defines firewall filters.
• The wired clients for testing will be done using:
  • Spirent (mostly for MAB).
  • Windows 11 Professional.
  • Linux (Ubuntu 20.04 or else suggested).
• The wireless clients for testing will be done using:
  • Windows 11 Professional.
  • Linux (Ubuntu 20.04 or else suggested).
• There is a need to test the following combinations for network access devices:
  • Standalone Juniper access switch managed by Juniper Mist cloud.
  • Juniper Virtual Chassis with a minimum of 3 members managed by Juniper Mist cloud.
  • Juniper AP managed by Juniper Mist cloud.
  • Standalone unmanaged Juniper access switch with RADIUS using a Juniper Mist Edge proxy.
• Credential database integration testing (with and without group authorization profile assignment):
  • Mist Auth internal database (label-based) for MAB
  • Mist Auth internal database (endpoint page) for MAB
  • Azure AD for EAP-TTLS with PAP
  • Azure AD for EAP-TLS
  • Okta for EAP-TTLS with PAP
  • Okta for EAP-TLS
  • LDAPS for EAP-TTLS with PAP
• MDM integration:
  • Azure AD and Microsoft Intune integration with compliance authorization selection.
• Wi-Fi only topics:
  • Wi-Fi PSK authentication
  • Wi-Fi service-set identifier (SSID) authentication
  • Juniper AP as EAP-TLS supplicant
  • Wi-Fi roaming
  • WPA3 enterprise
  • Wi-Fi client onboarding with PSK portal
• Special topics
  • EAP-TLS client certificate attribute-based authorization selection
  • Switch CLI admin authentication (device-auth)

Test Non-Goals

• Testing with third-party switches and APs was archived through using Juniper Switches and AP in unmanaged mode with Mist-Edge as RadSec Proxy.
• Working with customer PKIs. We use either the automatic Mist PKI for each organization or a homegrown PKI.
• Testing Eduroam forwarding due to lab limitations.
• Testing dynamic assignment for group-based policies (GBP) as:
  • This is extensively tested by a JVD extension for IP Clos.
  • Testing with RADIUS AVP Juniper-Switching-Filter was performed and only the content of the string changes for dynamic GBP assignment.
• Testing with campus fabric. All JVDs for campus fabric already undergo rigorous testing with a third-party RADIUS server and MAB + EAP method testing to ensure authentication and authorization (VLAN/filter) assign. NAC solutions take care of the authentication and authorization when a new client accesses a network at the ingress access switch. They do not need to know how the transport is done after that point and are independent if you just forward via VLANs or VXLAN.
• Certificate expiration scenarios cannot be tested as we cannot change the clock setting on the Juniper Mist authentication cloud.
• Redundancy of the Juniper Mist Edge proxy device is not tested in this first phase. Keep in mind that the client does trigger the failover between RADIUS servers.
• Mobile Device Management testing exclusions:
  • Jamf is an MDM option for Apple supplicant was excluded due to lab limitations.
  • Testing with Airwatch was excluded due to lab limitations.