Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add Identity Providers for Juniper Mist Access Assurance

Juniper Mist™ Access Assurance integrates with various Identity Providers (IdPs) to enhance authentication and access control. Identity providers serve as authentication source (in case of EAP-TTLS) and authorization source (by obtaining user group memberships, account state etc) for EAP-TLS or EAP-TTLS.

Here are the supported IdPs:

  • Microsoft Entra ID (formerly known as Azure Active Directory)

  • Okta Workforce Identity

  • Google Workspace

  • Juniper Mist Edge Proxy

Juniper Mist Access Assurance uses identity providers (IdPs) to:

  • Get additional identity context such as user group memberships and account state of clients.

    This information is available in certificate-based authentication methods such as Extensible Authentication Protocol–Transport Layer Security (EAP-TLS) and Extensible Authentication Protocol–Tunneled TLS (EAP-TTLS).

  • Authenticate clients by validating credentials. EAP-TTLS supports credential-based authentication.

Remember that configuring IdPs is optional for EAP-TLS certificate-based authentication, but it is mandatory for credential-based authentication (EAP-TTLS). If you're setting up an IdP, ensure you have the necessary details, such as client ID and client secret, from the identity provider.

Juniper Mist Access Assurance uses the following protocols to integrate into any IdP to look up users and get device state information:

  • Secure Lightweight Directory Access Protocol (LDAP)
  • OAuth 2.0

Configuring IdPs is optional for EAP-TLS certificate-based authentication and mandatory for credential-based authentication (EAP-TTLS).

Prerequisites

To add identity providers for Juniper Mist Access Assurance:

  1. From the left menu of the Juniper Mist portal, select Organization > Access> Identity Providers.
  2. Click Add IDP near the top-right corner of the Identity Providers page.
  3. On the New Identity Provider page, enter a Name and select the IDP type:
    • LDAPS

    • OAuth

    • Mist Edge Proxy

    New Identity Provider Page - Name and IDP Type
  4. Refer to the tables below to enter the information required for the selected type.

    LDAPS

    Table 1: Settings for LDAPS IdPs

    Parameters

    Details

    LDAP Type Select one of the following options from the drop-down menu:
    • Azure
    • Okta
    • Custom

    Server Hosts

    Enter the name or the IP address of the LDAP server you’re going to use for authentication.

    Domain Names

    Enter the fully qualified domain name (FQDN) of the LDAP server.

    Default IDP

    Set the selected identity provider as default IdP. The system performs lookup in this IdP if the entered user domain name is unknown or not found.

    Bind DN

    Specify the user whom you've allowed to search the base domain name. Example: cn=admin, dc=abc, dc=com.

    Bind Password

    Enter the password of the user who is mentioned in the Bind DN.

    Base DN

    Enter a whole domain or a specific organization unit (container) in Search base to specify where users and groups are found in the LDAP tree, for example: OU=NetworkAdmins,DC=your,DC=domain,DC=com.

    LDAPS Certificates

    Add the Certificate Authority-generated certificate and the client certificate.

    • Group Filter
    • Member Filter
    • User Filter

    Specify the LDAP filter that will identify the type of group, member, or user. This option is available only for LDAP Type Custom.

    OAuth

    For OAuth type of authentication, enter the values as provided in Table 2. Some of the fields you enter here requires values you'll receive when you configure Azure or Okta Application. See Integrate Microsoft Entra ID as an Identity Provider or Integrate Okta as an Identity Provider.

    Table 2: Settings for OAuth IdPs

    Parameters

    Description

    OAuth Type

    Select one of the following options from the drop-down menu:
    • Azure
    • Okta

    OAuth Tenant ID

    Enter OAuth tenant ID. Use the ID you received during Azure or Okta application configuration.

    Domain Names

    Enter a fully qualified domain name.

    Default IDP

    Set the selected identity provider as default if user domain name is not specified.

    OAuth Client Credential (CC) Client Id

    The application ID of your client application. Use the ID you received during Azure or Okta application configuration.

    OAuth Client Credential (CC) Client Private Key (For Okta) Enter the private key generated during Okta application configuration.

    OAuth Resource Owner Password Credential (ROPC) Client Id

    (For Okta) Enter the client secret ID. Use the secret ID you received during Okta application configuration.

    OAuth Resource Owner Password Credential (ROPC) Client Secret

    (For Okta) Provide client secret value. Use the secret value you received during Okta application configuration.

    OAuth Client Credential (CC) Client Id (For Azure) Enter the client ID generated during Azure application configuration.
    OAuth Client Credential (CC) Client Secret (For Azure) Enter the client secret value generated during Azure application configuration.
    OAuth Resource Owner Password Credential (ROPC) Client Id (For Azure) same as OAuth Client Credential (CC) Client Id.

    Mist Edge Proxy

    Table 3: Settings for Mist Edge Proxy

    Parameters

    Description

    Proxy Hosts

    Enter a comma-separated list of the public IP or NAT IP addresses of the Mist Edges that are acting as proxies. All these addresses must be part of the cluster that you identify in the Mist Edge Cluster field.

    Mist Edge will listen on the specified addresses for:

    • Inbound RadSec requests from Mist Access Assurance

    • RADIUS requests from external RADIUS servers

    SSIDs Enter a comma-separated list of the SSIDs that this IdP will use.
    Mist Edge Cluster Select a cluster from the list.
    Note:

    If you need to add a Mist Edge cluster, select Mist Edges from the left menu, and then select Create Cluster, and enter the information.

    Exclude Realms

    Use this option if you want to avoid proxying certain users. This is required only when EAP-TLS is used for users without any external IdP added as authorization source.

    Enter the domain names/realms that you want to exclude; all other valid user realms will be proxied.

    Operator Name

    If you specify an operator name, it will be be included in access requests that are forwarded to the external RADIUS server. For example, some eduroam NROs require the operator name attribute.

    This attribute must start with 1, followed by an FQDN.

    Example: 1abc_university.edu

    RADIUS Authentication Servers You must specify at least one server. Click Add Server, and then enter the IP address, port, and shared secret.
    RADIUS Accounting Servers Click Add Server, and then enter the IP address, port, and shared secret.
  5. To save the changes, click Create at the top-right corner of the New Identity Provider page.