Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Use Case: Mist Edge Proxy for Eduroam

This eduroam use case illustrates how to use Mist Edge as an IdP Proxy.

Overview

This use case shows how you can integrate Juniper Mist Access Assurance with eduroam NROs (National Roaming Operators) using Mist Edge acting as a RADIUS proxy. Mist Edge acts as a gateway to eduroam RADIUS servers with a static public IP or NAT IP assigned such that it can be registered as a RADIUS client in the eduroam admin portal.

Mist Edge Proxy is used in particular with eduroam SP and IdP authentication flows; it does not affect home users authentication.

The following call flows illustrate three types of users in eduroam networks and how each type authenticates via Mist Access Assurance and Mist Edge proxy: home users on campus, external visitors on campus (SP), and home roaming users (IdP).

Home Users

Home users are clients that are connecting to the eduroam SSID on their own university campus. For example, a user with an @university1.edu account is currently at University 1. This user is on their "home" realm. This is the typical scenario for most authentications happening daily at this university.

This scenario does not require Mist Edge proxy. The user authenticates directly with Mist Access Assurance.

Call Flow for Home Users

External Visitors

External visitors are clients who are visiting a university campus from another institution. For example, a user with an @university2.edu account is currently visiting Univeristy 1. This user is identified by a realm that is not the “home” realm.

This scenario requires Mist Edge Proxy IDP to forward authentication requests to university2.edu via eduroam RADIUS servers. External visitors authenticate via a Mist Edge proxy, where Mist Edge the proxies authentication requests towards the eduroam national RADIUS servers.

Call Flows for External Visitor

Home Roaming Users

Home roaming users are clients who are visiting a different institution and would like to authenticate to an eduroam SSID by using their home university credentials.

In this example, a user with an @university1.edu account is visiting University 2. The authentication requests are coming from university2.edu via eduroam RADIUS servers towards university1.edu. RADIUS Access-Requests from eduroam national RADIUS servers are received by the Mist Edge Proxy and then forwarded to the Mist Access Assurance service for authentication.

Call Flows for Roaming Home Users

Firewall Requirements

Mist Edge uses Out Of Band Management interface (OOBM) for all its proxy functionalities. It is possible to either assign a public IP address to the OOBM interface or place it behind NAT firewall.

The following ports and destinations must be allowed:

  • Inbound (towards Mist Edge OOBM interface)

    • RADIUS Auth & Acct (1812 / 1813 UDP) – you could limit source IPs to eduroam national RADIUS servers

    • RadSec (2083 TCP) – you could limit source IPs based on the following document.

  • Outbound (from Mist Edge OOBM interface):

    • RADIUS Auth & Acct (1812 / 1813 UDP)

    • RadSec (2083 TCP) towards radsec.nac.mist.com

    • HTTPS (443 TCP) towards ep-terminator.<mist_cloud_env>.mist.com (more on correct endpoint for your cloud environment in this document).

Note:
  • Mist Access Assurance only supports EAP-TLS, TEAP or EAP-TTLS methods for home users and home roaming users.
  • For external visitors any EAP method is supported, including PEAP-MSCHAPv2. EAP method support is determined by an external institution RADIUS servers.
  • Dedicated Mist Edge(s) are a must for the IDP proxy functionality.
  • For proxy service redundancy multiple Mist Edges can be used as part of the same Mist Edge cluster.

Configure Juniper Mist

Complete these steps in the Juniper Mist Portal.
  1. On the Mist Edges page, claim or register a Mist Edge and create a Mist Edge cluster.
    You can do these tasks by selecting Mist Edges from the left menu of the Juniper Mist portal. Then use the buttons to Claim Mist Edge, Create Mist Edge, and Create Cluster.
  2. On the Identity Providers page, add a Mist Edge Proxy Identity Provider.
    For help, see Add Identity Providers for Juniper Mist Access Assurance.
  3. On the Auth Policies page, configure rules for your eduroam SSID.

    The following example shows a basic scenario. Both home and external users are on eduroam network. External users are placed into a Guest VLAN, while home and home roaming users are placed into a primary university VLAN.

    Sample Auth Policy

Configure Eduroam

In the Eduroam admin console, add your Mist Edges. Depending on the eduroam NRO, the admin console might look different, but the overall integration points will remain the same.

Eduroam Hotspot RADIUS Servers

Eduroam Admin Console: Hotspot RADIUS Servers Page

eduroam IdP Realms

Eduroam Admin Console: IdP Realms Page

Verification

To verify the configuration, check the events on the Client Insights page or under NAC Events on the Auth Policies page.

Note:

For external users only, a NAC Client Access Allowed or Denied event will be generated without any other NAC events, due to the fact that authentication is handled by an external RADIUS server (eduroam).

Client Events Page Showing NAC Client Access Events

See Also