Juniper Mist Access Assurance Authentication Methods

Certificate-Based Authentication

• Certificate-based authentication enables mutual authentication between server and client devices and implements cryptography to provide secure network access.
• Digital certificates use a public key infrastructure (PKI) that requires a private-public key pair.
• An identity provider (IdP) is optional in certificate-based authentication. You can use an IdP to check user or device information such as account state and group information.
• Certificates are stored in secured storage.
• Certificate-based authentication requires client device provisioning, for which you typically use mobile device management (MDM).

Juniper Mist Access Assurance can integrate with any existing PKI and cloud-based IdPs such as Microsoft Azure AD, Okta, or Google Workspace to ensure certificate-based authentication is implemented in all applicable use cases.

Password-Based Authentication

• Password-based authentication requires an IdP for authentication. As most IdPs enforce multi-factor authentication (MFA), password-based authentication becomes impractical in 802.1X environments, particularly in wireless networks.
• The risk of person-in-the-middle attacks is significant, as 802.1X does not manage MFA well, especially on a wireless network.

We recommend password-based authentication only for scenarios where a PKI deployment is not immediately feasible or during transitions to certificate-based authentication. Avoid password-based 802.1X authentication in networks that support BYOD because of potential MITM attack vectors.

EAP-TLS

EAP-TLS leverages certificates and cryptography to provide mutual authentication between the client and the server. Both the client and the server must receive a digital certificate signed by a certificate authority (CA) that both the entities trust. This method uses certificates on both the client and server sides for authentication. For this authentication, the client and the server must trust each other's certificate.

Features

• Uses TLS to provide secure identity transaction
• An open IETF standard that is universally supported
• Uses X.509 certificates for authentication

Figure 1 shows the EAP-TLS authentication sequence.

The 802.1X standard specifies EAP as the encryption format for data transmission between a supplicant and an authenticator.

This method performs a four-way handshake with the following steps:

1. Either the authenticator (for example an AP) initiates a session request or the supplicant (a wireless client device) sends a session initiation request to the authenticator.
2. The authenticator sends an EAP request to the supplicant asking for the supplicant's identity.
3. The supplicant sends an EAP response to the authentication server (Juniper Mist Access Assurance cloud) through the authenticator.
4. The authentication server responds to the client device with a "Server Hello" message that includes a certificate.
5. The supplicant validates the server certificate. That is, the supplicant verfies whether the server certificate is signed by a trusted CA.
6. The supplicant sends a "Client Hello" message through the authenticator to present the client certificate to the Juniper Mist Access Assurance service
7. Juniper Mist Access Assurance validates that the client certificate is signed by a trusted CA.
8. Juniper Mist Access Assurance looks up the configured identity provider (IdP) sources and connects to an IdP to verify the user's name and some basic attributes.
9. Juniper Mist Access Assurance performs policy lookup and applies role and permission-based access to the client device.
10. Juniper Mist Access Assurance sends information about the VLAN and the assigned role to the authenticator so that it can assign the supplicant to the right network.
11. The authenticator sends an EAP-success message and provides access to the supplicant.

Extensible Authentication Protocol–Tunneled TLS (EAP-TTLS/PAP)

EAP-TTLS-PAP uses user credentials, such as username and password on the client side and server certificate on the server side to perform authentication. When a client device establishes a secure TLS tunnel with authentication server, it passes credentials using PAP protocol inside an encrypted tunnel.

Figure 2 shows the EAP-TTLS/PAP authentication sequence.

EAP-TTLS/PAP authentication involves the following steps:

1. Either the authenticator (for example an AP) initiates a session request or the supplicant (a wireless client device) sends a session initiation request to the authenticator.
2. The authenticator sends an EAP request asking for identification information to the supplicant.
3. A supplicant sends an EAP response to the authentication server (example: Juniper Mist Access Assurance cloud).
4. The authentication server responds to the client device with a "Server Hello" message that includes a certificate. The server sends the message through the authenticator.
5. The supplicant validates the server certificate. That is, the supplicant verifies whether the server certificate is signed by a trusted CA. This validation sets up an encrypted TLS tunnel.
6. The supplicant sends account credentials, such as user name and password, through a TLS tunnel to the server. The supplicant encrypts the information with Lightweight Directory Access Protocol over SSL (LDAPS) or OAuth (HTTPS).
7. Juniper Mist Access Assurance performs a lookup against its configured identity provider sources to find the user's name along with some basic attributes.
8. Juniper Mist Access Assurance performs policy lookup and applies role and permission-based access to the client device.
9. Juniper Mist Access Assurance sends information about the VLAN and the assigned role to the authenticator so that it can assign the supplicant to the right network.
10. The authenticator sends an EAP-success message and provides access to the supplicant.