Example Configuration: Guest Access with Juniper Mist WLC

This section describes the configuration that is required on IPS to communicate with Juniper Mist WLC for Guest wireless authentication.

To configure IPS for guest wireless authentication:

  1. Select Authentication > Auth.Servers. The Authentication Servers screen appears. Use the Default Guest Wired Authentication Server.
  2. Click Guest Wired Authentication available by default to view the settings.
  3. You can make the necessary changes and click Save Changes.
  4. Select Users > User Roles. The User Roles page appears.
  5. Click Guest Wired Restricted user role available by default. The Agentless access is enabled for this role.
  6. Select Endpoint Policy > MAC Address Authentication Realms and click Guest Wired authentication realm available by default.
  7. Select Endpoint Policy > Network Access > Location Group. Select Guest Wired as MAC Auth Realm.
  8. Configure the Mist WLC as a RADIUS client. Ensure that the Guest Wired location group and Support Disconnect Messages options are enabled.

  9. Configure the RADIUS return attributes for Guest Wired policy. Select Endpoint Policy > Network Access > RADIUS Return Attribute Policies. Click New Policy. Under RADIUS Attributes tab, select the check box for Return Attribute.The RADIUS return attributes are required for MAB authentication initially when the guest connects to the SSID (where the redirection happens) and then the session is bridged after the guest authenticates.

    Supported Attributes: Filter-Id, Airspace-ACL-Name, Aruba-User-Role.

    Cisco-AVPair is supported to set the redirection URL.

    Tunnel-Private-Group-ID and Airespace-Interface-Name are used to assign the VLANS.

Configuring Mist WLC

To configure WLAN on Mist:

  1. Add Mist as Access Point.

  2. Setup the Wireless Networks, Select Network > WLANs. Click Add WLAN.
  3. Configure Name, SSID.
  4. Under Security, select Open Access.
  5. Enable Guest Access with Mac Authentication Bypass.
  6. Under RADIUS Authentication Server and RADIUS Accounting Server, specify the IPS IP address.
  7. Create Security Policy to control resource access.
  8. You can also issue a label. The label is used to form tags or groups, which can be used to create security policies.