Configuration

Access Control General Best Practices

Here is some of the best practices in securing your devices in the network.  When we talk about the most secure method to secure access to the network we are usually talking about 802.1x.  

Simple EAP-TLS Validation

Validation and troubleshooting, so if we look at one of these clients that we connected successfully, we can take a look at the Intel device and client insights, we now have all the network related events as the client goes through updating DHCP, resolving ARP and DNS….

EAP-TLS – leveraging certificate attributes to create Auth Policies

Authentication policies, how can we use them in combination with certificates alone.  We will create another example, so far we have authenticated a user using the test certificate we created before.  What if we want to differentiate between different types of users just by looking at certificates.

Azure with EAP-TLS Configuration

In our use cases, so far we have been using EAP-TLS just by looking at the user certificate now let’s add a little bit more into the mix. Lets add identity provider lookup, so what we want to do is still use EAP-TLS for the authentication but add….

EAP-TLS with Azure: validation & WxLAN integration

Now we have configured let’s validate. Let’s see which policy is actually being “hit” by this user. So we went in and did “client certificate check” , so we see the client trusted the server certificate…

Wired Authentication validation

How do we validate?  We’ve connected a couple of clients to a switch, one is a laptop using a certificate and the other one is a Phillips U-hub that doesn’t do 802.1x and just doing MAC authentication…

Google Workspace Integration

Mist Access Assurance is able to natively integrate into Google Workspace IdP leveraging secure LDAPS connector for the following use-cases: User Credential Authentication (via EAP-TTLS/PAP) – validate user credentials (username/password) against Google IdP. User account and Group attribute lookup – obtain information about user account validity and user group memberships for both EAP-TLS and EAP-TTLS...

3rd Party Device Support – Mist Edge Auth Proxy

Overview Mist Access Assurance supports user and device authentication by leveraging a Mist Auth Proxy application running on a Mist Edge platform. Mist Edge is managed by the Mist Cloud and servers as a “gateway” for any non-Mist managed device that needs to perform authentication of end-clients connecting to it (a 3rd party switch, wireless...

EAP-TTLS – Apple Client Initial Configuration

Overview Additional configuration is necessary if opting to use EAP-TTLS/PAP (username+password) authentication for Apple devices, which can be achieved by creating a profile using a free Apple Configurator tool. Note: trying to input Username/Password at the login prompt by clicking on the SSID will not work (Apple devices use PEAP-MSCHAPv2 or EAP-TTLS/MSCHAPv2, which uses password...

Microsoft Azure AD/Entra ID Integration

Overview Mist Access Assurance allows you to integrate our authentication service natively into Microsoft Entra ID (formerly known as Azure Active Directory) using OAuth. How can you leverage Entra ID as Identity Provider in combination with Mist Access Assurance? User authentication via EAP-TTLS Authenticate User by doing delegated authentication checking username and password via OAuth...

Microsoft Intune Integration

Overview Mist Access Assurance allows you to integrate natively into Microsoft Intune Endpoint Management platform  for the purposes of checking managed endpoint compliance state. Microsoft Intune managed devices (laptops, mobile devices) are evaluated by Intune for compliancy using Device Compliance Policies (presence of an antivirus, firewall status, latest security patches, and so on). Mist Access...

Mist Access Assurance – JAMF Pro Integration

Overview Mist Access Assurance allows you to integrate natively into JAMF Pro Endpoint Management platform for the purposes of checking managed endpoint compliance state. JAMF managed devices (macbooks, iOS or iPadOs mobile devices) are evaluated by JAMF for compliancy using Smart Computer Groups for macbooks and Smart Device Groups for iPads and iOS devices (presence...

Mist Access Assurance – Server Certificate

Overview When clients are using any form of EAP authentication, authentication is always mutual, i.e. both the client need to trust or authenticate the server they are talking to, as well as the server needs to authenticate the client. First step of that mutual authentication is for the client to validate or trust a Server...

Mist Access Assurance – TEAP Windows Client Configuration

Currently TEAP is only supported on Windows 10 and above. As of time of this writing WiFi/Wired profile with TEAP can only be configured manually or via scripts, which can be distributed via MDM/GPO. Current MDM solutions do not provide out-of-the box support for TEAP configuration.   Navigate to Control Panel > Network and Sharing...

Mist Auth Proxy – Mist Edge VM Installation

This article covers requirements and installation instructions of a Mist Edge VM for the purposes of Mist Auth Proxy functionality. The following are the minimum hardware requirements for a Mist Edge VM for Mist Auth Proxy feature. Supported Hypervisor: VMware ESXi, tested versions – 6.7.0 and 7.0. Sizing for a Production is as below: CPU:...

Mist Edge Proxy IdP – eduroam

Overview Mist Access Assurance provides a capability to integrate with eduroam NROs (National Roaming Operators) using Mist Edge acting as a RADIUS proxy. Mist Edge would act as a gateway to eduroam RADIUS servers with a static public IP or NAT IP assigned such that it can be registered as a RADIUS client in the...

Okta Integration

Overview Mist Access Assurance allows you to integrate our authentication service natively into Okta directory using OAuth. How can you leverage OKTA as Identity Provider in combination with Mist Access Assurance? User authentication via EAP-TTLS Authenticate User by doing delegated authentication checking username and password via OAuth Obtain user group memberships to leverage them in...

Passwords vs Certificates for 802.1X

Passwords vs Certificates – TL;DR Understand your use-cases. Select the right authentication method (802.1X or MPSK) that has the right balance between security vs client and user capabilities. Certificates are always recommended especially as a long-term solution, current onboarding mechanisms provide good way to control cert provisioning at scale for all your client population. Use...