Enable WPA2/WPA3 Enterprise (802.1X) Security on a WLAN
Enable WPA2/WPA3 Enterprise on your WLAN for advanced authentication using a RADIUS server.
These topics guide you through the basic steps of enabling 802.1x security and adding your RADIUS server, with additional information about various options.
Set the WLAN Security Type and Add Your RADIUS Server
Juniper Mist supports IEEE 802.1X security for WPA2 and WPA3.
WPA3 or OWE are mandatory in 6 GHz. To adopt 6 GHz, also means adopting WPA3.
To set the WLAN security type and add your RADIUS server:
(Optional) Use Site Variables to Add a Server
By using site variables to identify your RADIUS server, you can easily apply the same WLAN configuration to APs at different sites even though certain attributes are different. In this scenario, imagine that Site A and Site B use different RADIUS servers. You'll use variables to add the RADIUS server in the WLAN configuration. Then you'll define the variables differently in the two site configurations.
To use site variables to add a server:
(Optional) Add a NAS Identifier and NAS IP Address
When you're enabling 802.1X security on a WLAN, you can add a NAS Identifier or NAS IP Address to customize the information that is passed to your RADIUS server.
For example, you could enter the site ID (in a site-level WLAN) or a site name variable (in a WLAN template) as the NAS Identifier. With this approach, you can associate all activity with a site to facilitate your auditing/accounting processes or to create different RADIUS rules for different sites. Another example is to enter the word Mist as the NAS Identifier. This way, you can create a different RADIUS rule or guest portal experience for traffic coming from Mist.
If you leave the NAS Identifier field blank, the WLAN ID is used as the NAS ID.
You can enter plain text and variables. The following variables are valid in this field:
-
Device Name—{{DEVICE_NAME}}
-
Model—{{DEVICE_MODEL}}
-
MAC Address—{{DEVICE_MAC}}
-
Site Name—{{SITE_NAME}}
This example shows how you can use both text and variables in the ID.
As shown below, when an AP on this WLAN sends an Access-Request, the variables are transformed to identify the AP.
Alternatively, specify a NAS IP Address. Normally, Mist passes through the actual IP address of the AP. But you might want to specify an IP address to be used for all activity, so that you can reference it in your RADIUS policies.
You can add the NAS Identifier or NAS IP Address in the Edit/Create WLAN window.
(Optional) Add a CoA/DM Server
When you're enabling 802.1X security on a WLAN, you also can add a CoA/DM server.
Change of Authorization (CoA) allows you to modify authorized RADIUS sessions after initial authentication to meet changing access requirements. For example, enable use cases such as administrator-initiated session resets.
For more information, see Change of Authorization (CoA).
(Optional) Enable RadSec
-
After you Set the WLAN Security Type and Add Your RADIUS Server, add your RadSec
server:
-
Get your Mist certificate from your organization settings:
- Select Organization > Settings from the left menu of the Juniper Mist portal.
- Under Mist Certificate, click View Certificate. Copy the certificate. You'll need it for the next step.
-
Go to your RadSec server and complete these tasks:
- Load the copied Mist certificate.
- Copy your RadSec certificate from your RadSec server. You'll need it for the next step.
-
Return to the Organization Settings page in Juniper Mist portal and add
your RadSec certificate:
- Under RadSec Certificates, click Add a RadSec certificate.
- Paste the contents of the certificate from your RadSec server.
- Click Add.
- (Optional) If you want to use your own AP RadSec certificates (rather than the unique certificate that Mist generates for each AP), click Add AP RadSec certificate, and then enter the private key and the signed certificate for the CA certificate.
- Click Save at the top-right corner of the Organization Settings page.