Here is some of the best practices in securing your devices in the network. When we talk about the most secure method to secure access to the network we are usually talking about 802.1x.
- Getting Started
- Wireless
- Wired Switching
- WAN Edge
- Mist Access Assurance
- Location Based Services
- Premium Analytics
- Security and Cloud Administration
- MSP
- Automation
- Product Updates
- Marvis
- Security Alerts
- FAQ
Configuration
Get started with Mist Access Assurance we will get starting by looking at various 802.1x authentication use cases with both wireless and wired.
How to create both CA and client certificates you can use for lab testing.
How do you configure your client devices using different operating systems using certificates to connect to a Wi-Fi network. Note this video is only useful if your doing lab testing using your test certificates and not for production networks.
How to have a windows device to use a certificate to authenticate. So we have our lab test certificate with the CA embedded and we have our Mist certificate embedded in the Mist dashboard previously.
Lets take a look how we configure an Android device in this particular case this is a Pixel 7 with our certificate. So we have the same 2 certs we need to copy over to the Android device through USB or any other way…
Validation and troubleshooting, so if we look at one of these clients that we connected successfully, we can take a look at the Intel device and client insights, we now have all the network related events as the client goes through updating DHCP, resolving ARP and DNS….
Authentication policies, how can we use them in combination with certificates alone. We will create another example, so far we have authenticated a user using the test certificate we created before. What if we want to differentiate between different types of users just by looking at certificates.
In our use cases, so far we have been using EAP-TLS just by looking at the user certificate now let’s add a little bit more into the mix. Lets add identity provider lookup, so what we want to do is still use EAP-TLS for the authentication but add….
Now we have configured let’s validate. Let’s see which policy is actually being “hit” by this user. So we went in and did “client certificate check” , so we see the client trusted the server certificate…
Now what else can we do with an IDP. What about authenticating users themselves without certificates and using their username/password. We can leverage the existing connector with Azure to use EAP-TTLS authentication..
What about wired devices, how do we authenticate and authorize wired clients. We use the exact same policy engine we used for wireless clients.
How do we validate? We’ve connected a couple of clients to a switch, one is a laptop using a certificate and the other one is a Phillips U-hub that doesn’t do 802.1x and just doing MAC authentication…
Mist Access Assurance is able to natively integrate into Google Workspace IdP leveraging secure LDAPS connector for the following use-cases: User Credential Authentication (via EAP-TTLS/PAP) – validate user credentials (username/password) against Google IdP. User account and Group attribute lookup – obtain information about user account validity and user group memberships for both EAP-TLS and EAP-TTLS...
Overview Mist Access Assurance supports user and device authentication by leveraging a Mist Auth Proxy application running on a Mist Edge platform. Mist Edge is managed by the Mist Cloud and servers as a “gateway” for any non-Mist managed device that needs to perform authentication of end-clients connecting to it (a 3rd party switch, wireless...
Overview Additional configuration is necessary if opting to use EAP-TTLS/PAP (username+password) authentication for Apple devices, which can be achieved by creating a profile using a free Apple Configurator tool. Note: trying to input Username/Password at the login prompt by clicking on the SSID will not work (Apple devices use PEAP-MSCHAPv2 or EAP-TTLS/MSCHAPv2, which uses password...
Overview Mist Access Assurance allows you to integrate our authentication service natively into Microsoft Entra ID (formerly known as Azure Active Directory) using OAuth. How can you leverage Entra ID as Identity Provider in combination with Mist Access Assurance? User authentication via EAP-TTLS Authenticate User by doing delegated authentication checking username and password via OAuth...
Overview Mist Access Assurance allows you to integrate natively into Microsoft Intune Endpoint Management platform for the purposes of checking managed endpoint compliance state. Microsoft Intune managed devices (laptops, mobile devices) are evaluated by Intune for compliancy using Device Compliance Policies (presence of an antivirus, firewall status, latest security patches, and so on). Mist Access...
Overview Mist Access Assurance allows you to integrate natively into JAMF Pro Endpoint Management platform for the purposes of checking managed endpoint compliance state. JAMF managed devices (macbooks, iOS or iPadOs mobile devices) are evaluated by JAMF for compliancy using Smart Computer Groups for macbooks and Smart Device Groups for iPads and iOS devices (presence...
Overview When clients are using any form of EAP authentication, authentication is always mutual, i.e. both the client need to trust or authenticate the server they are talking to, as well as the server needs to authenticate the client. First step of that mutual authentication is for the client to validate or trust a Server...
Currently TEAP is only supported on Windows 10 and above. As of time of this writing WiFi/Wired profile with TEAP can only be configured manually or via scripts, which can be distributed via MDM/GPO. Current MDM solutions do not provide out-of-the box support for TEAP configuration. Navigate to Control Panel > Network and Sharing...
This article covers requirements and installation instructions of a Mist Edge VM for the purposes of Mist Auth Proxy functionality. The following are the minimum hardware requirements for a Mist Edge VM for Mist Auth Proxy feature. Supported Hypervisor: VMware ESXi, tested versions – 6.7.0 and 7.0. Sizing for a Production is as below: CPU:...
Overview Mist Access Assurance provides a capability to integrate with eduroam NROs (National Roaming Operators) using Mist Edge acting as a RADIUS proxy. Mist Edge would act as a gateway to eduroam RADIUS servers with a static public IP or NAT IP assigned such that it can be registered as a RADIUS client in the...
Overview Mist Access Assurance allows you to integrate our authentication service natively into Okta directory using OAuth. How can you leverage OKTA as Identity Provider in combination with Mist Access Assurance? User authentication via EAP-TTLS Authenticate User by doing delegated authentication checking username and password via OAuth Obtain user group memberships to leverage them in...
Passwords vs Certificates – TL;DR Understand your use-cases. Select the right authentication method (802.1X or MPSK) that has the right balance between security vs client and user capabilities. Certificates are always recommended especially as a long-term solution, current onboarding mechanisms provide good way to control cert provisioning at scale for all your client population. Use...