10-01-2025 11:59 AM
Hello all,
I'm trying to get our new Juniper Mist ap's to work with user-id on a PA440, from reading around I see that only AD joined devices will work with user-id, and that's how its been for us for a while now, but we got the Juniper AP's and looks like there's a challenge on getting user-id to work, I'm using our on premise AD radius server, as soon as the AP authenticates a user it doesn't allow internet access, and has the not secure error message on the phone's browser, the PA logs show no user-id on the traffic, has anyone here done this and what you did to get it to work, I read about the 3rd party proxy apps that can be installed.
But not sure if that will really work for us, I'm kinda in a rabbit hole with researching, I know most companies are on the cloud, and we can probably use entra/intune from MS365, but we'd need to move users to the cloud, our data is still on premise like Exchange, due to compliance. Thanks in advanced for any pointers and advice.
10-13-2025 10:17 AM
Hi @cdcirexx ,
I am sorry that no one has responded to you on this topic. I see that you have also asked this question on other posts. It also appears that you are using MS NPS for local RADIUS. From this discussion, I see that you have looked at PAN RA Proxy. https://live.paloaltonetworks.com/t5/general-topics/user-id-issues-with-mapping-from-juniper-mist-wi...
There are a couple of other tools mentioned on this post -> https://live.paloaltonetworks.com/t5/general-topics/user-identification-using-windows-nps/td-p/46276.
Is Juniper MIST a cloud WiFi controller? If so, then it probably can't integrate with your local FW. I think your only solution is to integrate your MS NPS server using one of the methods above or possibly send syslogs from the AP itself to the NGFW. I use syslogs for my User-ID, and it works great.
You could also look at a different RADIUS server. Here are a couple below. I am not recommending a specific solution, only pointing out that there are options.
https://packetpushers.net/blog/radiuid/
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5sCAC
Thanks,
Tom
Thanks,
Tom
10-13-2025 11:03 AM
Tom,
Thanks for chiming in, yeah I see most of those links are from older posts, a lot today probably don't use internal AD radius anymore, I just ended up in a rabbit hole researching it, I think we'll go with something like Access assurance from Juniper, that's the cloud based radius server they offer. From reading around, it looks simple to setup, since our company is going through the CMMC certification process right now, we're looking at some cloud based auth services, also intune/entra for our MDM.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
