Security

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

Hi,

The screenshot of the error you posted  (invalid grant aadsts50034)  is one returned from Azure AD and from what I can tell it's usually related to using an email address that hasn't been added to your tenant or using an incorrect email. 

https://learn.microsoft.com/en-us/answers/questions/112874/getting-aadsts50034-when-authenticating-with-email

In any case, it looks like your Mist configuration is working correctly.  Something needs to be worked out with the credentials you're sending.

Regards, 

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-06-2025 07:13
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-05-2025 05:58
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

------------------------------
MUHAMMAD SAAD
------------------------------

Hi Matt,

Many thanks for your reply. Basically we are using Azure Cloud AD and applying the credentials of a user. So can you please advise what further troubleshooting I should do in order to sort out the issue.

I had attached some of the configuration snaps as well.

Thanks

Muhammad Saad

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-06-2025 18:38
From: Matt Sherman
Subject: Juniper Mist NAC Wired Testing

Hi,

The screenshot of the error you posted  (invalid grant aadsts50034)  is one returned from Azure AD and from what I can tell it's usually related to using an email address that hasn't been added to your tenant or using an incorrect email. 

https://learn.microsoft.com/en-us/answers/questions/112874/getting-aadsts50034-when-authenticating-with-email

In any case, it looks like your Mist configuration is working correctly.  Something needs to be worked out with the credentials you're sending.

Regards, 

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-06-2025 07:13
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-05-2025 05:58
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

------------------------------
MUHAMMAD SAAD
------------------------------

Hi,

I would start by looking at it from the Azure AD side to determine what's wrong with the credentials that are being sent.   Section 2 of the following link - https://www.windows-active-directory.com/top-12-ways-to-troubleshoot-common-issues-in-azure-ad-tenant.html

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-07-2025 01:22
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hi Matt,

Many thanks for your reply. Basically we are using Azure Cloud AD and applying the credentials of a user. So can you please advise what further troubleshooting I should do in order to sort out the issue.

I had attached some of the configuration snaps as well.

Thanks

Muhammad Saad

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-06-2025 18:38
From: Matt Sherman
Subject: Juniper Mist NAC Wired Testing

Hi,

The screenshot of the error you posted  (invalid grant aadsts50034)  is one returned from Azure AD and from what I can tell it's usually related to using an email address that hasn't been added to your tenant or using an incorrect email. 

https://learn.microsoft.com/en-us/answers/questions/112874/getting-aadsts50034-when-authenticating-with-email

In any case, it looks like your Mist configuration is working correctly.  Something needs to be worked out with the credentials you're sending.

Regards, 

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-06-2025 07:13
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-05-2025 05:58
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

------------------------------
MUHAMMAD SAAD
------------------------------

Hi Matt,

Many thanks for your reply. Basically we are using Azure Cloud AD and applying the credentials of a user. So can you please advise what further troubleshooting I should do in order to sort out the issue.

I had attached some of the configuration snaps as well.

Thanks

Muhammad Saad

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-06-2025 18:38
From: Matt Sherman
Subject: Juniper Mist NAC Wired Testing

Hi,

The screenshot of the error you posted  (invalid grant aadsts50034)  is one returned from Azure AD and from what I can tell it's usually related to using an email address that hasn't been added to your tenant or using an incorrect email. 

https://learn.microsoft.com/en-us/answers/questions/112874/getting-aadsts50034-when-authenticating-with-email

In any case, it looks like your Mist configuration is working correctly.  Something needs to be worked out with the credentials you're sending.

Regards, 

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-06-2025 07:13
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-05-2025 05:58
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

------------------------------
MUHAMMAD SAAD
------------------------------

Hi Matt and Juniper Team,

The issue is resolved and the problem was at Azure AD side which respective team has checked and sort that out.

My testing is not completed yet and two use cases are pending. I am writing one of the use case on which testing is not getting successful.

MAC based authentication: I created an Auth Policy and include the required MAC address of the device in the label and called it in the policy, but when I connected a device on the port, it shows unidentified network and no IP address is received. Some of the snaps I had shared below for reference.

Can some one help us out in sorting the issue.

Thanks & Regards,

Hi Matt,

Many thanks for your reply. Basically we are using Azure Cloud AD and applying the credentials of a user. So can you please advise what further troubleshooting I should do in order to sort out the issue.

I had attached some of the configuration snaps as well.

Thanks

Muhammad Saad

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-06-2025 18:38
From: Matt Sherman
Subject: Juniper Mist NAC Wired Testing

Hi,

The screenshot of the error you posted  (invalid grant aadsts50034)  is one returned from Azure AD and from what I can tell it's usually related to using an email address that hasn't been added to your tenant or using an incorrect email. 

https://learn.microsoft.com/en-us/answers/questions/112874/getting-aadsts50034-when-authenticating-with-email

In any case, it looks like your Mist configuration is working correctly.  Something needs to be worked out with the credentials you're sending.

Regards, 

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-06-2025 07:13
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-05-2025 05:58
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

------------------------------
MUHAMMAD SAAD
------------------------------

If you connect to another port with that same VLAN that does not have DOT1x or MAC authentication, are you getting an IP address assigned?

Hi Matt and Juniper Team,

The issue is resolved and the problem was at Azure AD side which respective team has checked and sort that out.

My testing is not completed yet and two use cases are pending. I am writing one of the use case on which testing is not getting successful.

MAC based authentication: I created an Auth Policy and include the required MAC address of the device in the label and called it in the policy, but when I connected a device on the port, it shows unidentified network and no IP address is received. Some of the snaps I had shared below for reference.

Can some one help us out in sorting the issue.

Thanks & Regards,

Hi Matt,

Many thanks for your reply. Basically we are using Azure Cloud AD and applying the credentials of a user. So can you please advise what further troubleshooting I should do in order to sort out the issue.

I had attached some of the configuration snaps as well.

Thanks

Muhammad Saad

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-06-2025 18:38
From: Matt Sherman
Subject: Juniper Mist NAC Wired Testing

Hi,

The screenshot of the error you posted  (invalid grant aadsts50034)  is one returned from Azure AD and from what I can tell it's usually related to using an email address that hasn't been added to your tenant or using an incorrect email. 

https://learn.microsoft.com/en-us/answers/questions/112874/getting-aadsts50034-when-authenticating-with-email

In any case, it looks like your Mist configuration is working correctly.  Something needs to be worked out with the credentials you're sending.

Regards, 

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-06-2025 07:13
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-05-2025 05:58
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

------------------------------
MUHAMMAD SAAD
------------------------------

Basically, we tested Dot1x on the same VLAN and it went successful that after authentication, IP address was assigned but not in MAC authentication case.

If you connect to another port with that same VLAN that does not have DOT1x or MAC authentication, are you getting an IP address assigned?

Hi Matt and Juniper Team,

The issue is resolved and the problem was at Azure AD side which respective team has checked and sort that out.

My testing is not completed yet and two use cases are pending. I am writing one of the use case on which testing is not getting successful.

MAC based authentication: I created an Auth Policy and include the required MAC address of the device in the label and called it in the policy, but when I connected a device on the port, it shows unidentified network and no IP address is received. Some of the snaps I had shared below for reference.

Can some one help us out in sorting the issue.

Thanks & Regards,

Hi Matt,

Many thanks for your reply. Basically we are using Azure Cloud AD and applying the credentials of a user. So can you please advise what further troubleshooting I should do in order to sort out the issue.

I had attached some of the configuration snaps as well.

Thanks

Muhammad Saad

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-06-2025 18:38
From: Matt Sherman
Subject: Juniper Mist NAC Wired Testing

Hi,

The screenshot of the error you posted  (invalid grant aadsts50034)  is one returned from Azure AD and from what I can tell it's usually related to using an email address that hasn't been added to your tenant or using an incorrect email. 

https://learn.microsoft.com/en-us/answers/questions/112874/getting-aadsts50034-when-authenticating-with-email

In any case, it looks like your Mist configuration is working correctly.  Something needs to be worked out with the credentials you're sending.

Regards, 

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-06-2025 07:13
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-05-2025 05:58
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

------------------------------
MUHAMMAD SAAD
------------------------------

If you haven't already, take a look at the following video.  I think you need to configure that MAC address bypass (MAB) setting.

https://www.juniper.net/documentation/us/en/software/mist/mist-access/topics/topic-map/access-assurance-mac-auth-wired-devices.html#xd_26def3ae20fdc9ad--2659942a-18bf9a9f26c--7e8f

Basically, we tested Dot1x on the same VLAN and it went successful that after authentication, IP address was assigned but not in MAC authentication case.

If you connect to another port with that same VLAN that does not have DOT1x or MAC authentication, are you getting an IP address assigned?

Hi Matt and Juniper Team,

The issue is resolved and the problem was at Azure AD side which respective team has checked and sort that out.

My testing is not completed yet and two use cases are pending. I am writing one of the use case on which testing is not getting successful.

MAC based authentication: I created an Auth Policy and include the required MAC address of the device in the label and called it in the policy, but when I connected a device on the port, it shows unidentified network and no IP address is received. Some of the snaps I had shared below for reference.

Can some one help us out in sorting the issue.

Thanks & Regards,

Hi Matt,

Many thanks for your reply. Basically we are using Azure Cloud AD and applying the credentials of a user. So can you please advise what further troubleshooting I should do in order to sort out the issue.

I had attached some of the configuration snaps as well.

Thanks

Muhammad Saad

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-06-2025 18:38
From: Matt Sherman
Subject: Juniper Mist NAC Wired Testing

Hi,

The screenshot of the error you posted  (invalid grant aadsts50034)  is one returned from Azure AD and from what I can tell it's usually related to using an email address that hasn't been added to your tenant or using an incorrect email. 

https://learn.microsoft.com/en-us/answers/questions/112874/getting-aadsts50034-when-authenticating-with-email

In any case, it looks like your Mist configuration is working correctly.  Something needs to be worked out with the credentials you're sending.

Regards, 

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-06-2025 07:13
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-05-2025 05:58
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

------------------------------
MUHAMMAD SAAD
------------------------------

I had already followed that video and add my Laptop MAC address on authentication policy label. Furthermore, I had disabled the option of IEEE 802.1X authentication on the laptop, so that it will authenticate via MAC only. But its not working. I had also tested that on IP Phone as well by directly connecting the cable but no luck.

If you haven't already, take a look at the following video.  I think you need to configure that MAC address bypass (MAB) setting.

https://www.juniper.net/documentation/us/en/software/mist/mist-access/topics/topic-map/access-assurance-mac-auth-wired-devices.html#xd_26def3ae20fdc9ad--2659942a-18bf9a9f26c--7e8f

Basically, we tested Dot1x on the same VLAN and it went successful that after authentication, IP address was assigned but not in MAC authentication case.

If you connect to another port with that same VLAN that does not have DOT1x or MAC authentication, are you getting an IP address assigned?

Hi Matt and Juniper Team,

The issue is resolved and the problem was at Azure AD side which respective team has checked and sort that out.

My testing is not completed yet and two use cases are pending. I am writing one of the use case on which testing is not getting successful.

MAC based authentication: I created an Auth Policy and include the required MAC address of the device in the label and called it in the policy, but when I connected a device on the port, it shows unidentified network and no IP address is received. Some of the snaps I had shared below for reference.

Can some one help us out in sorting the issue.

Thanks & Regards,

Hi Matt,

Many thanks for your reply. Basically we are using Azure Cloud AD and applying the credentials of a user. So can you please advise what further troubleshooting I should do in order to sort out the issue.

I had attached some of the configuration snaps as well.

Thanks

Muhammad Saad

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-06-2025 18:38
From: Matt Sherman
Subject: Juniper Mist NAC Wired Testing

Hi,

The screenshot of the error you posted  (invalid grant aadsts50034)  is one returned from Azure AD and from what I can tell it's usually related to using an email address that hasn't been added to your tenant or using an incorrect email. 

https://learn.microsoft.com/en-us/answers/questions/112874/getting-aadsts50034-when-authenticating-with-email

In any case, it looks like your Mist configuration is working correctly.  Something needs to be worked out with the credentials you're sending.

Regards, 

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-06-2025 07:13
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-05-2025 05:58
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

------------------------------
MUHAMMAD SAAD
------------------------------

The auth policy screenshot you sent earlier did not have MAB selected.  I'm not sure if you've changed that since.   Are you getting any failure logs in Monitor > Service Levels > Insights?

I had already followed that video and add my Laptop MAC address on authentication policy label. Furthermore, I had disabled the option of IEEE 802.1X authentication on the laptop, so that it will authenticate via MAC only. But its not working. I had also tested that on IP Phone as well by directly connecting the cable but no luck.

If you haven't already, take a look at the following video.  I think you need to configure that MAC address bypass (MAB) setting.

https://www.juniper.net/documentation/us/en/software/mist/mist-access/topics/topic-map/access-assurance-mac-auth-wired-devices.html#xd_26def3ae20fdc9ad--2659942a-18bf9a9f26c--7e8f

Basically, we tested Dot1x on the same VLAN and it went successful that after authentication, IP address was assigned but not in MAC authentication case.

If you connect to another port with that same VLAN that does not have DOT1x or MAC authentication, are you getting an IP address assigned?

Hi Matt and Juniper Team,

The issue is resolved and the problem was at Azure AD side which respective team has checked and sort that out.

My testing is not completed yet and two use cases are pending. I am writing one of the use case on which testing is not getting successful.

MAC based authentication: I created an Auth Policy and include the required MAC address of the device in the label and called it in the policy, but when I connected a device on the port, it shows unidentified network and no IP address is received. Some of the snaps I had shared below for reference.

Can some one help us out in sorting the issue.

Thanks & Regards,

Hi Matt,

Many thanks for your reply. Basically we are using Azure Cloud AD and applying the credentials of a user. So can you please advise what further troubleshooting I should do in order to sort out the issue.

I had attached some of the configuration snaps as well.

Thanks

Muhammad Saad

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-06-2025 18:38
From: Matt Sherman
Subject: Juniper Mist NAC Wired Testing

Hi,

The screenshot of the error you posted  (invalid grant aadsts50034)  is one returned from Azure AD and from what I can tell it's usually related to using an email address that hasn't been added to your tenant or using an incorrect email. 

https://learn.microsoft.com/en-us/answers/questions/112874/getting-aadsts50034-when-authenticating-with-email

In any case, it looks like your Mist configuration is working correctly.  Something needs to be worked out with the credentials you're sending.

Regards, 

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-06-2025 07:13
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-05-2025 05:58
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

------------------------------
MUHAMMAD SAAD
------------------------------

I had already followed that video and add my Laptop MAC address on authentication policy label. Furthermore, I had disabled the option of IEEE 802.1X authentication on the laptop, so that it will authenticate via MAC only. But its not working. I had also tested that on IP Phone as well by directly connecting the cable but no luck.

If you haven't already, take a look at the following video.  I think you need to configure that MAC address bypass (MAB) setting.

https://www.juniper.net/documentation/us/en/software/mist/mist-access/topics/topic-map/access-assurance-mac-auth-wired-devices.html#xd_26def3ae20fdc9ad--2659942a-18bf9a9f26c--7e8f

Basically, we tested Dot1x on the same VLAN and it went successful that after authentication, IP address was assigned but not in MAC authentication case.

If you connect to another port with that same VLAN that does not have DOT1x or MAC authentication, are you getting an IP address assigned?

Hi Matt and Juniper Team,

The issue is resolved and the problem was at Azure AD side which respective team has checked and sort that out.

My testing is not completed yet and two use cases are pending. I am writing one of the use case on which testing is not getting successful.

MAC based authentication: I created an Auth Policy and include the required MAC address of the device in the label and called it in the policy, but when I connected a device on the port, it shows unidentified network and no IP address is received. Some of the snaps I had shared below for reference.

Can some one help us out in sorting the issue.

Thanks & Regards,

Hi Matt,

Many thanks for your reply. Basically we are using Azure Cloud AD and applying the credentials of a user. So can you please advise what further troubleshooting I should do in order to sort out the issue.

I had attached some of the configuration snaps as well.

Thanks

Muhammad Saad

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-06-2025 18:38
From: Matt Sherman
Subject: Juniper Mist NAC Wired Testing

Hi,

The screenshot of the error you posted  (invalid grant aadsts50034)  is one returned from Azure AD and from what I can tell it's usually related to using an email address that hasn't been added to your tenant or using an incorrect email. 

https://learn.microsoft.com/en-us/answers/questions/112874/getting-aadsts50034-when-authenticating-with-email

In any case, it looks like your Mist configuration is working correctly.  Something needs to be worked out with the credentials you're sending.

Regards, 

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-06-2025 07:13
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-05-2025 05:58
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

------------------------------
MUHAMMAD SAAD
------------------------------

Sorry, scanning through your previous posts I see where you did include the MAB setting and it looks like you've set it up correctly.  Are you able to see any failure messages in the Insights section?  Do you have a ticket # that you're working off of as well?

I had already followed that video and add my Laptop MAC address on authentication policy label. Furthermore, I had disabled the option of IEEE 802.1X authentication on the laptop, so that it will authenticate via MAC only. But its not working. I had also tested that on IP Phone as well by directly connecting the cable but no luck.

If you haven't already, take a look at the following video.  I think you need to configure that MAC address bypass (MAB) setting.

https://www.juniper.net/documentation/us/en/software/mist/mist-access/topics/topic-map/access-assurance-mac-auth-wired-devices.html#xd_26def3ae20fdc9ad--2659942a-18bf9a9f26c--7e8f

Basically, we tested Dot1x on the same VLAN and it went successful that after authentication, IP address was assigned but not in MAC authentication case.

If you connect to another port with that same VLAN that does not have DOT1x or MAC authentication, are you getting an IP address assigned?

Hi Matt and Juniper Team,

The issue is resolved and the problem was at Azure AD side which respective team has checked and sort that out.

My testing is not completed yet and two use cases are pending. I am writing one of the use case on which testing is not getting successful.

MAC based authentication: I created an Auth Policy and include the required MAC address of the device in the label and called it in the policy, but when I connected a device on the port, it shows unidentified network and no IP address is received. Some of the snaps I had shared below for reference.

Can some one help us out in sorting the issue.

Thanks & Regards,

Hi Matt,

Many thanks for your reply. Basically we are using Azure Cloud AD and applying the credentials of a user. So can you please advise what further troubleshooting I should do in order to sort out the issue.

I had attached some of the configuration snaps as well.

Thanks

Muhammad Saad

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-06-2025 18:38
From: Matt Sherman
Subject: Juniper Mist NAC Wired Testing

Hi,

The screenshot of the error you posted  (invalid grant aadsts50034)  is one returned from Azure AD and from what I can tell it's usually related to using an email address that hasn't been added to your tenant or using an incorrect email. 

https://learn.microsoft.com/en-us/answers/questions/112874/getting-aadsts50034-when-authenticating-with-email

In any case, it looks like your Mist configuration is working correctly.  Something needs to be worked out with the credentials you're sending.

Regards, 

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-06-2025 07:13
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-05-2025 05:58
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

------------------------------
MUHAMMAD SAAD
------------------------------

Sorry, scanning through your previous posts I see where you did include the MAB setting and it looks like you've set it up correctly.  Are you able to see any failure messages in the Insights section?  Do you have a ticket # that you're working off of as well?

I had already followed that video and add my Laptop MAC address on authentication policy label. Furthermore, I had disabled the option of IEEE 802.1X authentication on the laptop, so that it will authenticate via MAC only. But its not working. I had also tested that on IP Phone as well by directly connecting the cable but no luck.

If you haven't already, take a look at the following video.  I think you need to configure that MAC address bypass (MAB) setting.

https://www.juniper.net/documentation/us/en/software/mist/mist-access/topics/topic-map/access-assurance-mac-auth-wired-devices.html#xd_26def3ae20fdc9ad--2659942a-18bf9a9f26c--7e8f

Basically, we tested Dot1x on the same VLAN and it went successful that after authentication, IP address was assigned but not in MAC authentication case.

If you connect to another port with that same VLAN that does not have DOT1x or MAC authentication, are you getting an IP address assigned?

Hi Matt and Juniper Team,

The issue is resolved and the problem was at Azure AD side which respective team has checked and sort that out.

My testing is not completed yet and two use cases are pending. I am writing one of the use case on which testing is not getting successful.

MAC based authentication: I created an Auth Policy and include the required MAC address of the device in the label and called it in the policy, but when I connected a device on the port, it shows unidentified network and no IP address is received. Some of the snaps I had shared below for reference.

Can some one help us out in sorting the issue.

Thanks & Regards,

Hi Matt,

Many thanks for your reply. Basically we are using Azure Cloud AD and applying the credentials of a user. So can you please advise what further troubleshooting I should do in order to sort out the issue.

I had attached some of the configuration snaps as well.

Thanks

Muhammad Saad

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-06-2025 18:38
From: Matt Sherman
Subject: Juniper Mist NAC Wired Testing

Hi,

The screenshot of the error you posted  (invalid grant aadsts50034)  is one returned from Azure AD and from what I can tell it's usually related to using an email address that hasn't been added to your tenant or using an incorrect email. 

https://learn.microsoft.com/en-us/answers/questions/112874/getting-aadsts50034-when-authenticating-with-email

In any case, it looks like your Mist configuration is working correctly.  Something needs to be worked out with the credentials you're sending.

Regards, 

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-06-2025 07:13
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-05-2025 05:58
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

------------------------------
MUHAMMAD SAAD
------------------------------

Please see below snap. When we connect and IP Phone with Juniper Switch (EX-2300) for MAC based authentication, it goes to held state and then again went on connecting state rather for NAC to assign the IP address and this process continues. 

Sorry, scanning through your previous posts I see where you did include the MAB setting and it looks like you've set it up correctly.  Are you able to see any failure messages in the Insights section?  Do you have a ticket # that you're working off of as well?

I had already followed that video and add my Laptop MAC address on authentication policy label. Furthermore, I had disabled the option of IEEE 802.1X authentication on the laptop, so that it will authenticate via MAC only. But its not working. I had also tested that on IP Phone as well by directly connecting the cable but no luck.

If you haven't already, take a look at the following video.  I think you need to configure that MAC address bypass (MAB) setting.

https://www.juniper.net/documentation/us/en/software/mist/mist-access/topics/topic-map/access-assurance-mac-auth-wired-devices.html#xd_26def3ae20fdc9ad--2659942a-18bf9a9f26c--7e8f

Basically, we tested Dot1x on the same VLAN and it went successful that after authentication, IP address was assigned but not in MAC authentication case.

If you connect to another port with that same VLAN that does not have DOT1x or MAC authentication, are you getting an IP address assigned?

Hi Matt and Juniper Team,

The issue is resolved and the problem was at Azure AD side which respective team has checked and sort that out.

My testing is not completed yet and two use cases are pending. I am writing one of the use case on which testing is not getting successful.

MAC based authentication: I created an Auth Policy and include the required MAC address of the device in the label and called it in the policy, but when I connected a device on the port, it shows unidentified network and no IP address is received. Some of the snaps I had shared below for reference.

Can some one help us out in sorting the issue.

Thanks & Regards,

Hi Matt,

Many thanks for your reply. Basically we are using Azure Cloud AD and applying the credentials of a user. So can you please advise what further troubleshooting I should do in order to sort out the issue.

I had attached some of the configuration snaps as well.

Thanks

Muhammad Saad

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-06-2025 18:38
From: Matt Sherman
Subject: Juniper Mist NAC Wired Testing

Hi,

The screenshot of the error you posted  (invalid grant aadsts50034)  is one returned from Azure AD and from what I can tell it's usually related to using an email address that hasn't been added to your tenant or using an incorrect email. 

https://learn.microsoft.com/en-us/answers/questions/112874/getting-aadsts50034-when-authenticating-with-email

In any case, it looks like your Mist configuration is working correctly.  Something needs to be worked out with the credentials you're sending.

Regards, 

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-06-2025 07:13
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-05-2025 05:58
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

------------------------------
MUHAMMAD SAAD
------------------------------

The NAC appears to be working correctly but your DHCP is not.  Is the VLAN you're using included / allowed in the upstream trunk port that allows connectivity to the DHCP server?

From your screenshot it looks like this port is set up for VLAN 1500.  What is providing DHCP for that VLAN?  If you set up another port as an access port with just this VLAN and no dot1x settings, do you get an IP address on the phone?

Please see below snap. When we connect and IP Phone with Juniper Switch (EX-2300) for MAC based authentication, it goes to held state and then again went on connecting state rather for NAC to assign the IP address and this process continues. 

Sorry, scanning through your previous posts I see where you did include the MAB setting and it looks like you've set it up correctly.  Are you able to see any failure messages in the Insights section?  Do you have a ticket # that you're working off of as well?

I had already followed that video and add my Laptop MAC address on authentication policy label. Furthermore, I had disabled the option of IEEE 802.1X authentication on the laptop, so that it will authenticate via MAC only. But its not working. I had also tested that on IP Phone as well by directly connecting the cable but no luck.

If you haven't already, take a look at the following video.  I think you need to configure that MAC address bypass (MAB) setting.

https://www.juniper.net/documentation/us/en/software/mist/mist-access/topics/topic-map/access-assurance-mac-auth-wired-devices.html#xd_26def3ae20fdc9ad--2659942a-18bf9a9f26c--7e8f

Basically, we tested Dot1x on the same VLAN and it went successful that after authentication, IP address was assigned but not in MAC authentication case.

If you connect to another port with that same VLAN that does not have DOT1x or MAC authentication, are you getting an IP address assigned?

Hi Matt and Juniper Team,

The issue is resolved and the problem was at Azure AD side which respective team has checked and sort that out.

My testing is not completed yet and two use cases are pending. I am writing one of the use case on which testing is not getting successful.

MAC based authentication: I created an Auth Policy and include the required MAC address of the device in the label and called it in the policy, but when I connected a device on the port, it shows unidentified network and no IP address is received. Some of the snaps I had shared below for reference.

Can some one help us out in sorting the issue.

Thanks & Regards,

Hi Matt,

Many thanks for your reply. Basically we are using Azure Cloud AD and applying the credentials of a user. So can you please advise what further troubleshooting I should do in order to sort out the issue.

I had attached some of the configuration snaps as well.

Thanks

Muhammad Saad

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-06-2025 18:38
From: Matt Sherman
Subject: Juniper Mist NAC Wired Testing

Hi,

The screenshot of the error you posted  (invalid grant aadsts50034)  is one returned from Azure AD and from what I can tell it's usually related to using an email address that hasn't been added to your tenant or using an incorrect email. 

https://learn.microsoft.com/en-us/answers/questions/112874/getting-aadsts50034-when-authenticating-with-email

In any case, it looks like your Mist configuration is working correctly.  Something needs to be worked out with the credentials you're sending.

Regards, 

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-06-2025 07:13
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-05-2025 05:58
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

------------------------------
MUHAMMAD SAAD
------------------------------

Yes, when I set port to access mode on this ip phone vlan, I quickly get the ip address for the ip phone.

And this is also part of the trunk uplink, and we are also getting mac address from the uplink port.

One thing I had noticed is that since it keeps on going to connecting and held state. Due to this reason the ip phone mac address is not seeing on the switch port.

When I checked on show dot1x interface detail command, the ip phone profile also shows VOIP-VLAN VALIDATION FAILED.

Please let me know how it will be sorted out.

The NAC appears to be working correctly but your DHCP is not.  Is the VLAN you're using included / allowed in the upstream trunk port that allows connectivity to the DHCP server?

From your screenshot it looks like this port is set up for VLAN 1500.  What is providing DHCP for that VLAN?  If you set up another port as an access port with just this VLAN and no dot1x settings, do you get an IP address on the phone?

Please see below snap. When we connect and IP Phone with Juniper Switch (EX-2300) for MAC based authentication, it goes to held state and then again went on connecting state rather for NAC to assign the IP address and this process continues. 

Sorry, scanning through your previous posts I see where you did include the MAB setting and it looks like you've set it up correctly.  Are you able to see any failure messages in the Insights section?  Do you have a ticket # that you're working off of as well?

I had already followed that video and add my Laptop MAC address on authentication policy label. Furthermore, I had disabled the option of IEEE 802.1X authentication on the laptop, so that it will authenticate via MAC only. But its not working. I had also tested that on IP Phone as well by directly connecting the cable but no luck.

If you haven't already, take a look at the following video.  I think you need to configure that MAC address bypass (MAB) setting.

https://www.juniper.net/documentation/us/en/software/mist/mist-access/topics/topic-map/access-assurance-mac-auth-wired-devices.html#xd_26def3ae20fdc9ad--2659942a-18bf9a9f26c--7e8f

Basically, we tested Dot1x on the same VLAN and it went successful that after authentication, IP address was assigned but not in MAC authentication case.

If you connect to another port with that same VLAN that does not have DOT1x or MAC authentication, are you getting an IP address assigned?

Hi Matt and Juniper Team,

The issue is resolved and the problem was at Azure AD side which respective team has checked and sort that out.

My testing is not completed yet and two use cases are pending. I am writing one of the use case on which testing is not getting successful.

MAC based authentication: I created an Auth Policy and include the required MAC address of the device in the label and called it in the policy, but when I connected a device on the port, it shows unidentified network and no IP address is received. Some of the snaps I had shared below for reference.

Can some one help us out in sorting the issue.

Thanks & Regards,

Hi Matt,

Many thanks for your reply. Basically we are using Azure Cloud AD and applying the credentials of a user. So can you please advise what further troubleshooting I should do in order to sort out the issue.

I had attached some of the configuration snaps as well.

Thanks

Muhammad Saad

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-06-2025 18:38
From: Matt Sherman
Subject: Juniper Mist NAC Wired Testing

Hi,

The screenshot of the error you posted  (invalid grant aadsts50034)  is one returned from Azure AD and from what I can tell it's usually related to using an email address that hasn't been added to your tenant or using an incorrect email. 

https://learn.microsoft.com/en-us/answers/questions/112874/getting-aadsts50034-when-authenticating-with-email

In any case, it looks like your Mist configuration is working correctly.  Something needs to be worked out with the credentials you're sending.

Regards, 

Matt

------------------------------
Matt Sherman

Original Message:
Sent: 01-06-2025 07:13
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Team Juniper / Mist Assurance (NAC),

Can some one help us out. We are stuck at this point since last couple of days.

------------------------------
MUHAMMAD SAAD

Original Message:
Sent: 01-05-2025 05:58
From: MUHAMMAD SAAD
Subject: Juniper Mist NAC Wired Testing

Hello Team,

I am working on deploying the NAC solution via Wired Scenario. We have used Juniper Switch for dot1x authentication and connected a laptop with it. We have tried on different authentication protocols i.e. (EAP-PEAP and EAP-TTLS), since the EAP-TLS is not available on the Ethernet adapter settings on the laptop. In security profile we have also set the tick box to dot1x authentication and also set the authentication protocol set, but when we tried connecting the user through wired, the authentication gets failed and we are getting the error on NAC events (NAC IDP Authentication Failure).

Some one help out and identify the issue. I had also attached the error for the reference.

Many thanks

------------------------------
MUHAMMAD SAAD
------------------------------