3rd Party Device Support – Mist Edge Auth Proxy

Overview

Mist Access Assurance supports user and device authentication by leveraging a Mist Auth Proxy application running on a Mist Edge platform.

Mist Edge is managed by the Mist Cloud and servers as a “gateway” for any non-Mist managed device that needs to perform authentication of end-clients connecting to it (a 3rd party switch, wireless LAN controller or an Access Point), or management user authentication to the network device, such as admin login to a firewall or switch CLI management interface.

3rd party Devices need to be added as RADIUS Clients at the Mist Edge Cluster, from where all the authentication traffic will be wrapped into secured RadSec tunnel and sent over to the Mist Access Assurance cloud.

Design considerations:

  • Mist Edge can serve as authentication proxy from multiple sites, it is not required to have an edge per site.
  • For redundancy purposes it is recommended to place at least a few Mist Edges in different Data Centers or Points of Presense

Supported Mist Edge platforms

Mist Auth Proxy functionality is supported on all Mist Edge platforms:

  • VM
  • X1/X1M
  • X5/X5M
  • X10

Note: It is recommended to use dedicated Mist Edge appliance (or a VM) for Mist Auth Proxy and do not mix it with Tunterm or OCProxy functionality.

Mist Edge VM notes

  • Only a single network interface is required
  • The following Mist Edge SKU is required to unlock the Mist Auth proxy functionality: ME-VM-OC-PROXY

Handling RADIUS Attributes

  • Based on the configured Vendor, Mist Access Assurance will automatically send correct RADIUS Attributes in Access-Accept response to assign VLANs, Roles (Firewall filters) and Session Timeout
  • Any special use-cases can be handled by leveraging Custom Vendor Specific RADIUS Attribute labels to send specific attribute back.

Configuration

Configuration of the proxy

Navigate to Mist Edges > Edit your Mist Edge Cluster

 

Enable Radius Proxy, set type as Mist Auth Proxy, then click Add Client:

Provide an IP address or IP subnet for the RADIUS Client (a 3rd party device), RADIUS shared secret, select Vendor of the 3rd party device and optionally select Site where that 3rd party device is located:

 

Note you can leverage different NAS Vendors in your auth policy rules to differentiate between various vendors / rule combinations, for example:

 

Configuration of the NAS device

point your 3rd party NAS devices towards Mist Edge OOBM IP address as the RADIUS server.

In case you are deploying multiple mist edges, add each and every Mist Edge as RADIUS server in failover or load-balance mode, depending on your 3rd party device support.