We have a Juniper-Mist Wired and Wireless infrastructure. Do we need to purchase any hardware to enable Access Assurance?
- No need for any additional hardware to install and maintain. Just few click of buttons and NAC is ON!
- Note: Mist Auth support for Juniper EX switches requires Junos 20.4R3-S7 or above, 22.3R3 or above, 22.4R2 or above, 23.1R1 or above. Mist Auth support for Mist APs requires firmware version 0.6.x or above.
Do I need to open any additional firewall rules for my Access Points and switches to use Mist Access Assurance?
- Yes, on your firewall you need to allow outbound connections destined to radsec.nac.mist.com over TCP Port 2083.
Missing Access Assurance option in UI
- Mist Access Assurance is in limited availability. Please contact your Juniper Mist representative if you would like trying it, or simply if you would like to get more details.
Access Assurance is available as a client device subscription. For current Juniper Mist customers, we have made it really simple; the same subscription for IoT Assurance will allow you entitlement for Access Assurance. The following SKUs are intended to be made available for Access Assurance.
SKU | Description |
S-CLIENT-S-1 | Standard Access Assurance subscription for 1 client for 1 year |
S-CLIENT-S-3 | Standard Access Assurance subscription for 1 client for 3 years |
S-CLIENT-S-5 | Standard Access Assurance subscription for 1 client for 5 years |
What will happen if I lose connectivity to Mist Cloud?
- Mist Cloud and Access Assurance service has been built up on microservices architecture with the highest level of resiliency built into the design at all levels. In the rare event of persistent loss of connectivity to the cloud all authenticated and authorized client devices will continue to function and seamlessly roam.
Which authentication methods do you support with Mist Access Assurance?
- 802.1X
- EAP-TLS/PEAP-TLS – clients are using digital certificates to authenticate. We will work with any 3rd party Certificate Infrastructure. Optionally, it is possible to add Identity Provider lookup to get additional authorization context (account validity, user group information) in addition to certificate validation.
- EAP-TTLS – client are using credentials (username/password) to authenticate. In such scenario an Identity Provider is required, where Mist Access Assurance would validate user credentials against an IdP, for example Azure AD, Okta, Google Workspace.
- Mac Authentication Bypass (MAB) – typically used in wired IoT use-cases when devices do not support 802.1X authentication methods.
Will we experience any latency issues?
- Juniper-Mist Access Assurance has microservices with geo-affinity built into the design that makes latency comparable to any current on-prem system. We encourage you to try out and measure user experience using the Mist solution.
PSK based IoT on-boarding
- PSK based IoT devices onboarding continues to work the same way as before. Please refer to the following article: