Add Identity Providers for Juniper Mist Access Assurance

Juniper Mist™ Access Assurance integrates with various Identity Providers (IdPs) to enhance authentication and access control. Identity providers serve as authentication source (in case of EAP-TTLS) and authorization source (by obtaining user group memberships, account state etc) for EAP-TLS or EAP-TTLS.

Here are the supported IdPs:

Microsoft Entra ID (formerly known as Azure Active Directory)
Okta Workforce Identity
Google Workspace
Juniper Mist Edge Proxy

Juniper Mist Access Assurance uses identity providers (IdPs) to:

Get additional identity context such as user group memberships and account state of clients.
This information is available in certificate-based authentication methods such as Extensible Authentication Protocol–Transport Layer Security (EAP-TLS) and Extensible Authentication Protocol–Tunneled TLS (EAP-TTLS).
Authenticate clients by validating credentials. EAP-TTLS supports credential-based authentication.

Remember that configuring IdPs is optional for EAP-TLS certificate-based authentication, but it is mandatory for credential-based authentication (EAP-TTLS). If you're setting up an IdP, ensure you have the necessary details, such as client ID and client secret, from the identity provider.

Juniper Mist Access Assurance uses the following protocols to integrate into any IdP to look up users and get device state information:

Secure Lightweight Directory Access Protocol (LDAP)
OAuth 2.0

Configuring IdPs is optional for EAP-TLS certificate-based authentication and mandatory for credential-based authentication (EAP-TTLS).

Prerequisites

If you're using Azure, Okta, or similar IdPs, register with the IdP. You can obtain the client ID and client secret details from the IdP after registration.

For help, see:
If you're using Mist Edge Proxy as IdP, claim or register a Mist Edge and create Mist Edge cluster.
You can do these tasks by selecting Mist Edges from the left menu of the Juniper Mist portal. Then use the buttons to Claim Mist Edge, Create Mist Edge, and Create Cluster.

To add identity providers for Juniper Mist Access Assurance:

From the left menu of the Juniper Mist portal, select Organization > Access> Identity Providers.
Click Add IDP near the top-right corner of the Identity Providers page.
On the New Identity Provider page, enter a Name and select the IDP type:
- LDAPS
- OAuth
- Mist Edge Proxy

Refer to the tables below to enter the information required for the selected type.

LDAPS

Table 1: Settings for LDAPS IdPs
Parameters	Details
LDAP Type	Select one of the following options from the drop-down menu: Azure Okta Custom
Server Hosts	Enter the name or the IP address of the LDAP server you’re going to use for authentication.
Domain Names	Enter the fully qualified domain name (FQDN) of the LDAP server.
Default IDP	Set the selected identity provider as default IdP. The system performs lookup in this IdP if the entered user domain name is unknown or not found.
Bind DN	Specify the user whom you've allowed to search the base domain name. Example: cn=admin, dc=abc, dc=com.
Bind Password	Enter the password of the user who is mentioned in the Bind DN.
Base DN	Enter a whole domain or a specific organization unit (container) in Search base to specify where users and groups are found in the LDAP tree, for example: `OU=NetworkAdmins,DC=your,DC=domain,DC=com`.
LDAPS Certificates	Add the Certificate Authority-generated certificate and the client certificate.
Group Filter Member Filter User Filter	Specify the LDAP filter that will identify the type of group, member, or user. This option is available only for LDAP Type Custom.

OAuth

For OAuth type of authentication, enter the values as provided in Table 2. Some of the fields you enter here requires values you'll receive when you configure Azure or Okta Application. See Integrate Azure AD as an Identity Provider or Integrate Okta as an Identity Provider.

Table 2: Settings for OAuth IdPs
Parameters	Description
OAuth Type	Select one of the following options from the drop-down menu: Azure Okta
OAuth Tenant ID	Enter OAuth tenant ID. Use the ID you received during Azure or Okta application configuration.
Domain Names	Enter a fully qualified domain name.
Default IDP	Set the selected identity provider as default if user domain name is not specified.
OAuth Client Credential (CC) Client Id	The application ID of your client application. Use the ID you received during Azure or Okta application configuration.
OAuth Client Credential (CC) Client Private Key	(For Okta) Enter the private key generated during Okta application configuration.
OAuth Resource Owner Password Credential (ROPC) Client Id	(For Okta) Enter the client secret ID. Use the secret ID you received during Okta application configuration.
OAuth Resource Owner Password Credential (ROPC) Client Secret	(For Okta) Provide client secret value. Use the secret value you received during Okta application configuration.
OAuth Client Credential (CC) Client Id	(For Azure) Enter the client ID generated during Azure application configuration.
OAuth Client Credential (CC) Client Secret	(For Azure) Enter the client secret value generated during Azure application configuration.
OAuth Resource Owner Password Credential (ROPC) Client Id	(For Azure) same as OAuth Client Credential (CC) Client Id.

Mist Edge Proxy

Table 3: Settings for Mist Edge Proxy
Parameters	Description
Proxy Hosts	Enter a comma-separated list of the public IP or NAT IP addresses of the Mist Edges that are acting as proxies. All these addresses must be part of the cluster that you identify in the Mist Edge Cluster field. Mist Edge will listen on the specified addresses for: Inbound RadSec requests from Mist Access Assurance RADIUS requests from external RADIUS servers
SSIDs	Enter a comma-separated list of the SSIDs that this IdP will use.
Mist Edge Cluster	Select a cluster from the list. Note: If you need to add a Mist Edge cluster, select Mist Edges from the left menu, and then select Create Cluster, and enter the information.
Exclude Realms	Use this option if you want to avoid proxying certain users. This is required only when EAP-TLS is used for users without any external IdP added as authorization source. Enter the domain names/realms that you want to exclude; all other valid user realms will be proxied.
Operator Name	If you specify an operator name, it will be be included in access requests that are forwarded to the external RADIUS server. For example, some eduroam NROs require the operator name attribute. This attribute must start with 1, followed by an FQDN. Example: 1abc_university.edu
RADIUS Authentication Servers	You must specify at least one server. Click Add Server, and then enter the IP address, port, and shared secret.
RADIUS Accounting Servers	Click Add Server, and then enter the IP address, port, and shared secret.

To save the changes, click Create at the top-right corner of the New Identity Provider page.

Add Identity Providers for Juniper Mist Access Assurance

Related Documentation