- play_arrow Overview
- play_arrow Identity Provider Integration
- play_arrow Access Assurance Configuration
- Configure Certificate-Based (EAP-TLS ) Authentication
- Configure MAC-Based Authentication and MAC Authentication Bypass (MAB)
- Configure Certificate-Based (EAP-TLS ) Authentication with Azure IdP Integration
- Configure Credentials-Based (EAP-TTLS) Authentication
- Configure Client Device for EAP-TTLS Authentication
- TEAP Configuration for Windows Client
- Enable Client Onboarding with a BYOD PSK Portal
- Install Juniper Mist Edge VM for Juniper Mist Authentication Proxy
- Juniper Mist Authentication Proxy: Third-Party Device Support
- Use Case: Mist Edge Proxy for Eduroam
- play_arrow Monitoring
Add an Endpoint, Label, and Policy
Follow these steps to add an endpoint to your organization, assign labels, and create an authentication policy to specify which users can access it.
Network access control (NAC) Endpoints page provides you with database of endpoints identified by their MAC addresses. Here, you can assign each endpoint with various attributes, such as name, VLAN, role and client label. Once an endpoint is labeled, you can leverage the label name in your authentication policy page as match criteria.
You can add or import a new endpoint to the database manually or by uploading a CSV file. Having a database of endpoints MAC addresses simplifies the access control using MAC authentication as now you can easily add new clients, assign respective labels, view, and edit existing clients by leveraging search functionality.
Adding Endpoints
Use the following steps to set up endpoints for NAC:
To access NAC Endpoints page, from the left menu of the Juniper Mist portal, select Organization > Access > Endpoints.
- A list of existing endpoints, if any, appears. You can search the endpoint by MAC address or by label.
- You can Import an endpoint using a CSV file or add an endpoint.
- Click the Import button in the upper right corner. Figure 1: Import NAC Endpoints
In the Import Endpoint window, click Download Sample CSV button to download a sample CSV file with correct headers and format. Upload your CSV file to the portal using the Drag and Drop or Click to Upload CSV File option.
- Click the Add Endpoint button to add new endpoint. Figure 2: Add a NAC Endpoint
In the Add Endpoint page, enter the following details:
Name—(Optional) Name of the endpoint. You can also name the endpoint after authentication for better visibility. Naming is also done by sending configured name in User-Name attribute in RADIUS Access Accept.
MAC Address—MAC Address of the endpoint.
Role—(Optional) Role to an endpoint which can be leveraged in Auth Policy rule to override a role on a per-endpoint basis.
VLAN—(Optional) VLAN ID between 1 to 4094 or VLAN name to an endpoint, which can be used to override VLAN assignment on a per-endpoint basis.
Client Labels—(Optional) List of labels or tags assigned to an endpoint, which can be leveraged in Auth Policies as a match criteria. For example, cameras, printers, IoT-devices, quarantined-clients, floor,and so on.
Description: (Optional) Description of the endpoint that you can relate with.
- Click the Import button in the upper right corner.
- Click Save.
The system adds the endpoint you created to the database. Now you can use the label in creating an authentication policy.
Example of Using NAC Endpoint Label in Auth Policy
In the previous step, you have created an endpoint with labels cameras and floor 1. Now, you can use the labels in auth policy.
From the left menu of the Juniper Mist portal, select Organization > Access > Auth Policies.
On the Auth Policies page, select Create Label and enter the details.
Figure 3: Create a Label
- Label Name—Enter the label name (example: Cameras in floor 1)
- Label Type—Select the type as Client Label.
- Label Values—Enter client label. For this example, enter label values as cameras, floor 1. These are the labels you assigned when adding a new NAC endpoint.
Create an authentication policy.
Click Add Rule to create a rule. In this rule, use the label you created in the previous step.
Figure 4: Create Auth Policy
- Name—Enter a name for the policy.
- Match Criteria—Select the client label (cameras, floor 1), MAB (MAC Authentication Bypass), and Wired.
- Policy—Select Allowed.
- Policy action—Select Network Access Allowed.
- Assigned Policies—Select the required policy.
