Juniper Mist RADIUS Setup Guide — Configure IronWiFi with Mist Cloud

Q: Can I use dynamic VLAN assignment with Juniper Mist and Cloud RADIUS?

Yes. Enable dynamic VLAN in the WLAN settings by selecting 'Enabled' under VLAN and setting the type to 'Dynamic'. The RADIUS server returns Tunnel-Type=VLAN, Tunnel-Medium-Type=IEEE-802, and Tunnel-Private-Group-ID= to assign users to specific VLANs. The VLANs must exist on the upstream switch trunk ports connected to the Mist APs.

Step-by-step guide to configuring Cloud RADIUS authentication with Juniper Mist cloud-managed WiFi. All configuration is done through the Mist dashboard.

March 6, 2026 12 min read

Why Use RADIUS with Juniper Mist?
Prerequisites
Configure IronWiFi RADIUS Server
Mist Dashboard Configuration
WLAN Policy Setup
Testing & Verification
Troubleshooting

Juniper Mist is a cloud-native wireless platform that uses AI-driven insights and microservices architecture to simplify enterprise WiFi management. Unlike traditional controller-based systems, Mist is entirely cloud-managed — all configuration is done through the Mist dashboard, and APs receive their policies automatically.

This guide covers the complete process of integrating Juniper Mist access points with IronWiFi's Cloud RADIUS server for WPA-Enterprise authentication. Since Mist is cloud-managed, all configuration steps use the Mist web dashboard.

Why Use RADIUS with Juniper Mist?

Juniper Mist's cloud-first architecture makes it an excellent fit for Cloud RADIUS integration. Both systems are cloud-native, eliminating the complexity of on-premises RADIUS infrastructure:

Cloud-to-cloud integration: Both IronWiFi and Mist are cloud-managed, creating a fully cloud-native authentication stack with no on-premises servers
Per-user identity and accountability: Every wireless session is tied to a specific user credential, enabling Mist's client insights and SLE (Service Level Expectation) metrics per user
Dynamic VLAN assignment: RADIUS attributes place users on the correct network segment, integrated with Mist's network policy framework
Certificate-based security: EAP-TLS with IronWiFi's Cloud PKI eliminates credential theft risks
Marvis AI integration: RADIUS authentication events feed into Mist's Marvis AI assistant for automated troubleshooting and anomaly detection

Mist Architecture

Juniper Mist APs connect directly to the Mist cloud for management and configuration. Key characteristics:

No on-premises controller: APs are managed entirely from the cloud. Configuration changes are pushed instantly to all APs in a site
Site-based organization: APs are grouped into sites, and WLAN configurations are applied per site or across the entire organization
AP-direct RADIUS: Each Mist AP sends RADIUS requests directly to the RADIUS server from its own management IP (no controller proxy)

Prerequisites

Before starting, ensure you have:

Juniper Mist access points — AP12, AP32, AP33, AP34, AP43, AP45, AP63, or any Mist-managed AP
Mist dashboard access — Organization admin or site admin role at manage.mist.com
IronWiFi account — Talk to Sales
Trusted by 1,000+ organizations in 108 countries

Step 3: WLAN Policy Setup

Mist uses a flexible policy framework to control WLAN behavior across sites and AP groups.

Site-Level vs. Organization-Level WLANs

Site-Level WLAN: Configuration applies only to APs within the specific site. Best for site-specific SSIDs or when different sites have different RADIUS configurations
Organization-Level WLAN (WLAN Template): Configuration is defined once and applied to multiple sites. Best for standardized corporate SSIDs across all locations

Creating a WLAN Template

Navigate to Organization > WLAN Templates
Click"Create Template" and give it a descriptive name
Add a WLAN to the template with the same RADIUS configuration described above
Assign the template to sites by selecting which sites should receive this WLAN configuration
Optionally set site-specific overrides if certain sites need different VLAN IDs or RADIUS servers

AP-Level Policy Controls

RF Templates: Control which bands the SSID broadcasts on per AP or AP group
Labels: Use Mist labels to assign WLANs to specific AP groups within a site (e.g., broadcast"Corporate-WiFi" only on office floor APs, not lobby APs)
Rate Limiting: Configure per-client and per-SSID bandwidth limits in the WLAN settings

Mist RADIUS Proxy

For deployments with many APs, consider enabling the Mist RADIUS Proxy. This feature routes all RADIUS traffic from the APs through a designated proxy (Mist Edge), presenting a single NAS IP to the RADIUS server. This simplifies NAS registration in IronWiFi. Configure the RADIUS Proxy under Organization > Settings > RADIUS Proxy in the Mist dashboard.

Step 4: Testing & Verification

Testing the Connection

Connect a test device to the enterprise SSID
Enter credentials (PEAP/MSCHAPv2) or ensure the client certificate is installed (EAP-TLS)
Accept the server certificate on first connection
Verify the connection in the Mist dashboard under Monitor > Insights > Client Events

Mist Dashboard Verification

Client List: Navigate to Monitor > Clients to see connected clients, their authentication status, assigned VLAN, and signal strength
SLE Dashboard: Check Monitor > Service Levels for the"Successful Connects" and"Time to Connect" metrics to verify authentication performance
Event Log: Review Monitor > Insights > Client Events for detailed authentication events including RADIUS accept/reject messages
Marvis Actions: Mist's AI assistant will flag authentication anomalies automatically under Monitor > Marvis Actions

Troubleshooting

Authentication Timeout

Firewall blocking RADIUS: Verify UDP ports 1812 and 1813 are open from each AP's management subnet to the RADIUS server IP
NAS IP not registered: Since Mist APs send RADIUS requests from individual IPs, ensure all AP management IPs (or the covering subnet) are registered in IronWiFi
AP cannot reach RADIUS: Use the Mist dashboard's Utilities > RADIUS Test feature (if available for your AP model) to test connectivity

Authentication Rejected

Shared secret mismatch: The shared secret must match exactly between the Mist WLAN configuration and IronWiFi. Re-enter it in both places to rule out copy-paste issues
User not found: Verify the username exists in IronWiFi and is assigned to the correct network
Certificate issues (EAP-TLS): Ensure the client certificate is signed by the CA configured in IronWiFi and has not expired
EAP method mismatch: Verify the client's EAP configuration matches what IronWiFi expects (PEAP/MSCHAPv2 or EAP-TLS)

VLAN Not Applied

Dynamic VLAN not enabled: Ensure the WLAN's VLAN setting is set to"Dynamic" in the Mist dashboard
VLAN not on trunk: The VLAN ID returned by RADIUS must be allowed on the switch trunk port connected to the AP
Missing tunnel attributes: Verify IronWiFi returns all three RADIUS attributes: Tunnel-Type=VLAN, Tunnel-Medium-Type=IEEE-802, and Tunnel-Private-Group-ID=<VLAN-ID>

Checking Logs

Mist Dashboard: Navigate to Monitor > Insights > Client Events for per-client authentication traces. Filter by"802.1X" to see only RADIUS-related events
Mist API: Use the Mist REST API endpoint /api/v1/sites/{site_id}/insights/client for programmatic access to client event data
IronWiFi: Review the Authentication Log in the console for complete RADIUS transaction details, including accept/reject reasons and returned attributes

Frequently Asked Questions

Does Juniper Mist support external Cloud RADIUS servers?

Yes. Juniper Mist fully supports external RADIUS servers for 802.1X authentication. In the Mist dashboard, navigate to Network > WLANs, create a WLAN with WPA-2/EAP (802.1X) security, and enter the Cloud RADIUS server IP, port (1812), and shared secret under the RADIUS Authentication Servers section.

How does Mist handle RADIUS NAS IP addressing?

By default, Juniper Mist APs send RADIUS requests from each AP's own IP address (the AP management IP). You can optionally configure a NAS IP or NAS Identifier in the WLAN settings. For Cloud RADIUS, the simplest approach is to register the site's public IP (if the APs NAT through a single IP) or use the Mist RADIUS Proxy feature to consolidate requests through a single IP.

Can I use dynamic VLAN assignment with Juniper Mist and Cloud RADIUS?

Yes. Enable dynamic VLAN in the WLAN settings by selecting"Enabled" under VLAN and setting the type to"Dynamic". The RADIUS server returns Tunnel-Type=VLAN, Tunnel-Medium-Type=IEEE-802, and Tunnel-Private-Group-ID=<VLAN-ID> to assign users to specific VLANs. The VLANs must exist on the upstream switch trunk ports connected to the Mist APs.

What is the Mist RADIUS Proxy and when should I use it?

The Mist RADIUS Proxy routes all RADIUS requests from the APs through the Mist Edge or a designated proxy device, presenting a single source IP to the RADIUS server. This simplifies NAS registration since you only need one IP instead of every AP's IP. Use the RADIUS Proxy when you have many APs or when your RADIUS server has a limited NAS list.

Why are my Mist APs failing RADIUS authentication?

Common causes include: firewall blocking UDP 1812/1813 from the AP subnet, AP management IPs not registered as NAS addresses in the RADIUS server, shared secret mismatch, or the RADIUS server being unreachable from the AP network. Check the Mist dashboard under Monitor > Insights for authentication failure events and cross-reference with the IronWiFi authentication log.

Tags: Juniper Mist Mist Cloud RADIUS WPA-Enterprise 802.1X EAP-TLS WLAN Policy Dynamic VLAN Cloud RADIUS

Table of Contents