Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Mist Access Assurance—Frequently Asked Questions

What is Mist Access Assurance?

Juniper Mist Access Assurance is a cloud service that provides secure, identity-based network access control (NAC). The cloud service offers a comprehensive policy framework to allow or deny network access to various devices such as guests, corporate devices, and devices generating IoT and BYOD traffic. User and device identity determine whether a client receives access. Juniper Mist Access Assurance supports 802.1X authentication and MAC address bypass for non-802.1X wired IoT devices in the allowlist.

How do you order Mist Access Assurance subscriptions?

We provide the Juniper Mist Access Assurance service as a subscription based on the average concurrently active client devices seen over a 7-day period.

Table 1: Mist Access Assurance Subscriptions Package
SKU Description
S-CLIENT-S-1 Standard Access Assurance subscription for 1 client for 1 year
S-CLIENT-S-3 Standard Access Assurance subscription for 1 client for 3 years
S-CLIENT-S-5 Standard Access Assurance subscription for 1 client for 5 years

For information about license numbering and license pools, see Licensing Information.

Your subscription to IoT Assurance also grants you access to Juniper Mist Access Assurance.

Contact your Juniper account team or partner to obtain a license. For more information, visit: https://www.juniper.net/us/en/how-to-buy/form.html.

Refer to Juniper Mist Access Assurance Datasheet for details.

We have a Juniper Mist wired and wireless infrastructure. Do we need to purchase any additional hardware to enable Access Assurance?

You don't need any additional hardware to install and maintain Juniper Mist Access Assurance.

Juniper Mist Access Assurance supports:

  • Juniper Networks EX Series switches with
    • Junos OS Release 20.4R3-S7 or later
    • Junos OS Release 22.3R3 or later
    • Junos OS Release 22.4R2 or later
    • Junos OS Release 23.1R1 or later
  • Juniper® Series of High-Performance Access Points with firmware version 0.6.x or above.

What are Juniper Mist Access Assurance – Source IP Addresses?

Juniper Mist Access Assurance is geographically distributed cloud authentication service. In some cases users require to create allow list using for Access Assurance source IP addresses to communicate with external Identity Providers.

Juniper Networks recommends to leverage Layer 7 based verification instead of IP-based firewall rules. For example, to validate client certificates for LDAPS communication or validate OAuth client id/secrets.

US West

  • 44.238.214.57
  • 54.214.208.109
  • 54.71.176.201

US East

  • 13.58.92.194
  • 18.217.23.193
  • 3.22.40.111

EU Paris

  • 15.236.172.79
  • 15.236.44.93
  • 15.237.171.133

EU Frankfurt

  • 3.77.68.168
  • 52.57.243.242
  • 18.153.242.220

APAC Sydney

  • 54.255.158.51
  • 18.143.121.8
  • 13.228.196.58

APAC Singapore

  • 13.239.90.65
  • 13.237.26.230
  • 54.252.79.22

Do I need to add any firewall rules to configure my access points and switches to use Mist Access Assurance?

Yes, on your firewall you must allow outbound connections destined to radsec.nac.mist.com over TCP Port 2083.

Why is the Access Assurance option missing in the Juniper Mist UI?

JJuniper Mist Access Assurance has limited availability. Contact your Juniper Mist representative if you want to use this feature or need any additional details about the feature

What happens if I lose connectivity to the Juniper Mist cloud?

The Juniper Mist Access Assurance service has a microservices architecture, which makes the service very resilient. In the rare event of persistent loss of connectivity to the Juniper Mist cloud, all authenticated and authorized client devices will maintain their functionality and roam seamlessly.

Which authentication methods do you support with Mist Access Assurance?

Juniper Mist Access Assurance supports the following authentication methods:

  • 802.1X
    • Extensible Authentication Protocol (EAP)–Transport Layer Security (TLS)/Protected Extensible Authentication Protocol (PEAP)–Transport Layer Security (TLS)—Certificate-based authentication. In addition to certificate validation, you can optionally use an identity provider for additional authorization context.
    • Extensible Authentication Protocol–Tunneled TLS (EAP-TTLS)—Credential-based authentication. Require Identity Provider such as Azure AD, Okta, and Google Workspace.
  • Non-802.1X
    • MAC Authentication Bypass (MAB)—You can use MAB for devices that don't support 802.1X authentication methods, such as wired IoT devices.

See Juniper Mist Access Assurance Authentication Methods for details.

Do we experience any latency when we use Juniper Mist Access Assurance?

Juniper Mist Access Assurance has a microservices architecture with geo-affinity features. The service can connect to the nearest service, reducing delay and making it as fast as systems located on your premises. We suggest that you use the cloud service on a trial basis to experience an improvement in your user experience.

Have you made any changes to PSK-based IoT onboarding?

Preshared Key (PSK)-based IoT device onboarding continues to work the same way as before. Refer to Multi PSK – Mist IoT Assurance for details.