Network Access Control (NAC) has been a cornerstone of enterprise security architecture for as long as I can remember. The premise is straightforward: control who and what can connect to your network. Corporate laptops, employee mobiles, IoT devices, and guests each carry a different trust level, authentication capability, and policy requirement. NAC is the mechanism that enforces that distinction at the point of connection.
In practice, delivering that has rarely been straightforward.
The problem with traditional NAC
On-premises RADIUS infrastructure, complex policy engines, and version dependent integrations have made traditional NAC one of the more cumbersome disciplines in network engineering. Policy rule sets accumulate. Troubleshooting an authentication failure in a mature deployment means correlating logs across RADIUS, Active Directory, certificate infrastructure and switch port configuration, simultaneously. Most network configuration management platforms are separate, disparate systems, reducing interoperability and creating a dependency on a single point of failure. Scaling is no easier. Deploying into a new region means hardware procurement, rack space, further licensing and engineering time.
Software updates can require complex change windows, version management and rollback planning. There is no continuous delivery model. Critical security patches and bug fixes take longer than they should, the slow nature of on-premise change cycles leaves enterprises exposed for longer than necessary.
MIST Access Assurance changes that model.
What is MIST Access Assurance?
MIST Access Assurance is HPE’s cloud-delivered NAC service, built on the Juniper MIST microservices platform. It is not an on-premise RADIUS platform hosted in someone else’s datacentre. The policy engine, identity integrations, client classification and posture evaluation are cloud-native from the ground up. That distinction matters operationally. Software updates are continuous and service managed — no upgrade windows, no version management, no risk of a failed patch affecting authentication for a site. The platform iterates in the background while the network keeps running.
The underlying architecture follows the same microservices model with AI/ML benefits that underpins the broader MIST platform across wireless, wired and WAN domains. Each function authentication, policy evaluation, identity lookup, posture compliance — runs as an independent service. This provides the agility and resilience that monolithic on-premise platforms cannot match. AI driven insights available across other MIST domains extend into the authentication layer, with event correlation, anomaly detection and policy visibility surfaced within the same operational dashboard.
For organisations already running Juniper MIST for wireless or switching, the integration is native. Authentication, policy and access control sit alongside RF health, switch telemetry and Marvis-driven diagnostics. That is a meaningful reduction in tooling, platform sprawl and context switching for network teams managing a mature estate.
RADSec – better transport by default
Because authentication traffic traverses the internet to reach the Juniper MIST cloud, MIST Access Assurance uses RADSec — RADIUS over TLS — as the transport protocol. RADSec wraps the RADIUS authentication and accounting exchange inside a TLS tunnel, typically over TCP port 2083, providing encryption, message integrity and mutual authentication between the authenticator and the cloud service.
Standard RADIUS over UDP offers none of those properties. Most on-premise deployments have run RADIUS over UDP on internal networks and accepted that as sufficient. RADSec has existed as a best practice for years, but without a forcing function, most organisations never adopted it. MIST provides that forcing function — authentication traffic cannot reach the cloud service without it. What appears to be an architectural necessity for cloud delivery is in practice a security improvement that should have been standard in traditional deployments long ago.
Geographic agility without the infrastructure
Latency is a legitimate concern for many geographically dispersed organisations, which a cloud-scale architecture can handle so very well. RADIUS and 802.1X authentication exchanges are latency sensitive. Multiple round-trip requests are required to complete the exchange, and timeouts are unforgiving. HPE Juniper addresses this through multiple cloud regions operating the MIST Auth Accelerator Service. Authenticators connect to the nearest available region, keeping round-trip latency within acceptable bounds for authentication flows. In a traditional NAC deployment, solving for regional latency means deploying policy nodes in each location, and having the compute or resources to do so can be challenging, especially in areas where we don’t have the luxury of such a setup!
Is cloud NAC suitable for me?
What NAC needs to do has not changed. Authenticate devices, enforce policy, keep the wrong endpoints off the network. What it takes to deliver that has.
If your organisation is running a full enterprise NAC platform and questioning whether the complexity is justified, or you have no NAC today and are looking at where to start, MIST Access Assurance is worth evaluating.
Ask yourself, are you overcomplicating it? Do you actually need the full weight of HPE ClearPass or Cisco ISE right now? Cloud NAC architectures could be the simpler, more agile path forward.
Reach out to our team today to learn more and discover how a Proof of Value (PoV) engagement could reshape how your organisation thinks about NAC delivery.