Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Enable WPA2/WPA3 Enterprise (802.1X) Security on a WLAN

SUMMARY Enable WPA2/WPA3 Enterprise on your WLAN for advanced authentication using a RADIUS server.

These topics guide you through the basic steps of enabling 802.1x security and adding your RADIUS server, with additional information about various options.

Set the WLAN Security Type and Add Your RADIUS Server

Juniper Mist supports IEEE 802.1X security for WPA2 and WPA3.

Note:

WPA3 or OWE are mandatory in 6 GHz. To adopt 6 GHz, also means adopting WPA3.

To set the WLAN security type and add your RADIUS server:

  1. Navigate to the WLAN.
    • If the WLAN is in a WLAN template, select Organization > Wireless | WLAN Templates, click the template, and then click the WLAN.

    • For a site-level WLAN, select Site > Wireless | WLANs, and then click the WLAN.

  2. In the Security section of the Edit WLAN window:
    1. Click WPA3 or WPA2.
    2. Click Enterprise (802.1X).

    RADIUS authentication is available only when you've selected WPA2/WPA3 and Enterprise (802.1X) in the Security section.

    Security Type Section of the Edit/Create WLAN Page
  3. In the Authentication Servers section, add your server.
    1. Select RADIUS as the server type.
    2. Click Add Server.
      Add Server Button
    3. Enter the Hostname and the Shared Secret.
      Note:

      You can use site variables instead of entering the hostname. See (Optional) Use Site Variables to Add a Server.

    4. Click the check mark button.
      Hostname, Shared Secret, and Checkmark Button
  4. (Optional) Configure additional options for your WLAN if needed (as described in the remaining sections of this document).
  5. Save the WLAN configuration, and save the template changes (if the WLAN is part of a WLAN template).

(Optional) Use Site Variables to Add a Server

By using site variables to identify your RADIUS server, you can easily apply the same WLAN configuration to APs at different sites even though certain attributes are different. In this scenario, imagine that Site A and Site B use different RADIUS servers. You'll use variables to add the RADIUS server in the WLAN configuration. Then you'll define the variables differently in the two site configurations.

To use site variables to add a server:

  1. Define the site variables in the site configuration for the first site:
    1. Select Organization > Site Configuration from the left menu of the Juniper Mist portal.
    2. Click the site that you want to configure, such as Site A.
    3. In the Site Variables section, click Add Variable.
    4. Enter a variable name and value for the IP address of the RADIUS server, and then click Save.

      As shown below, enter {{RADIUS_IP}} for Variable. Enter the actual IP address for Value.

      Entering the Variable Name and Value
    5. Add a variable for the Shared Secret, such as {{RADIUS_Secret}}, and enter the actual Shared Secret for this server as the Value.

      After you add the two variables, they appear in the Site Variables section of the Site Configuration page.

      Example: Site Variables List on the Site Configuration Page
  2. Add the same variables to the next site (Site B), and enter the correct values for that site's RADIUS server.
    For example, in the site configuration for Site B, add the same {{RADIUS_Server}} variable. In the Value field, enter the actual IP address for Site B's RADIUS server. Also add the same {{RADIUS_Secret}} variable, and enter the correct Shared Secret for the Value.
  3. Click Save at the top-right corner of the Site Configuration page.
  4. Set the WLAN Security Type and Add Your RADIUS Server, and enter variables for the server details.

    For example, use variables when adding a RADIUS server or a CoA/DM server.

    In this example, the Hostname is {{RADIUS_IP}} and Shared Secret is {{RADIUS_Secret}}.

    Example: Variables in the Hostname and Shared Secret Fields
  5. Save the WLAN settings.

(Optional) Add a NAS Identifier and NAS IP Address

When you're enabling 802.1X security on a WLAN, you can add a NAS Identifier or NAS IP Address to customize the information that is passed to your RADIUS server.

For example, you could enter the site ID (in a site-level WLAN) or a site name variable (in a WLAN template) as the NAS Identifier. With this approach, you can associate all activity with a site to facilitate your auditing/accounting processes or to create different RADIUS rules for different sites. Another example is to enter the word Mist as the NAS Identifier. This way, you can create a different RADIUS rule or guest portal experience for traffic coming from Mist.

If you leave the NAS Identifier field blank, the WLAN ID is used as the NAS ID.

You can enter plain text and variables. The following variables are valid in this field:

  • Device Name—{{DEVICE_NAME}}

  • Model—{{DEVICE_MODEL}}

  • MAC Address—{{DEVICE_MAC}}

  • Site Name—{{SITE_NAME}}

This example shows how you can use both text and variables in the ID.

Example: Using Variables in the NAS Identifier Field

As shown below, when an AP on this WLAN sends an Access-Request, the variables are transformed to identify the AP.

Example: Access-Request Contents Including NAS-ID

Alternatively, specify a NAS IP Address. Normally, Mist passes through the actual IP address of the AP. But you might want to specify an IP address to be used for all activity, so that you can reference it in your RADIUS policies.

You can add the NAS Identifier or NAS IP Address in the Edit/Create WLAN window.

(Optional) Add a CoA/DM Server

When you're enabling 802.1X security on a WLAN, you also can add a CoA/DM server.

Change of Authorization (CoA) allows you to modify authorized RADIUS sessions after initial authentication to meet changing access requirements. For example, enable use cases such as administrator-initiated session resets.

Note:

For more information, see Change of Authorization (CoA).

(Optional) Enable RadSec

RadSec is a protocol that allows RADIUS servers to transfer data over TCP and TLS for increased security. With RadSec capabilities, you can transfer RADIUS packets through public networks while still ensuring end-to-end security through the transport layer.
To enable RadSec and install the certificates:
  1. After you Set the WLAN Security Type and Add Your RADIUS Server, add your RadSec server:
    1. In the Authentication Servers section, select RadSec from the drop-down list.
    2. Enter the Server Name.
    3. Click Add Server, and enter the Hostname.
      RadSec Settings
    4. Click the check mark button to add the server.
    5. Save the WLAN configuration, and save the template changes (if the WLAN is part of a WLAN template).
  2. Get your Mist certificate from your organization settings:
    1. Select Organization > Settings from the left menu of the Juniper Mist portal.
    2. Under Mist Certificate, click View Certificate. Copy the certificate. You'll need it for the next step.
  3. Go to your RadSec server and complete these tasks:
    1. Load the copied Mist certificate.
    2. Copy your RadSec certificate from your RadSec server. You'll need it for the next step.
  4. Return to the Organization Settings page in Juniper Mist portal and add your RadSec certificate:
    1. Under RadSec Certificates, click Add a RadSec certificate.
    2. Paste the contents of the certificate from your RadSec server.
    3. Click Add.
  5. (Optional) If you want to use your own AP RadSec certificates (rather than the unique certificate that Mist generates for each AP), click Add AP RadSec certificate, and then enter the private key and the signed certificate for the CA certificate.
  6. Click Save at the top-right corner of the Organization Settings page.