TTechclick All lessons
Juniper Mist · Wireless · AP OnboardingInteractive · L1 / L2

Juniper Mist AP Onboarding — Claim Codes, Device Profiles & ZTP in 11 Minutes

Unbox an AP, scan one code, walk away. Skip the manual — see why a single AP uses a claim code but a hundred APs use an activation code, watch a brand-new AP zero-touch onto the Mist cloud live, learn how a device profile configures it before you even arrive, and decode the LED blink that tells you exactly why it won't connect.

📅 2026-05-31 · ⏱ 11 min · 3 interactive demos · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Onboard a Juniper Mist AP the AI-era way — single-AP claim code vs bulk activation code, assign a device profile during claim, watch a brand-new AP ZTP onto the cloud live, and decode the LED blink that tells you exactly why it won't connect — in 11 minutes.

Read it as:

By the end you'll be able to

Pick a stage — jump straight to it

1

Claim vs Activate

Claim code = one AP. Activation code = many APs from a PO. Which to use and where to find each.

 2

Onboard the AP

Mobile app QR scan vs web browser claim. Assign site, floor plan and device profile.

 3

Device Profiles + ZTP

Push config to a group of APs at scale, and watch zero-touch provisioning fire end to end.

 4

Troubleshoot

"AP won't connect" → LED blink codes, DHCP, DNS and the firewall ports playbook.

Before you claim — what onboarding really means

Think of a new Mist AP like a brand-new phone. The phone is useless until you link it to your account. The little code on the box is how you say "this one is mine." Once it's linked, your settings flow down to it automatically — no cable, no laptop, no typing config. That linking step is called claiming, and the auto-settings part is zero-touch provisioning.

Here's the one idea that unlocks everything: a Mist AP carries no local config out of the box — its brain lives in the Mist cloud. To manage it, you must first claim it into your organization, then place it on a site. Claiming proves ownership; the cloud then pushes the right config down automatically. You never SSH into the AP to configure it.

Architecturally, onboarding separates ownership from configuration. The claim/activation code binds a device serial to your Mist org. ZTP then handles the config: the AP gets DHCP, resolves the cloud terminator FQDN, opens an outbound HTTPS session, and inherits org → site → device-profile → AP-level settings in that precedence. Get the claim, the site assignment, and the outbound path right, and a hundred APs come up identically with zero on-site touch.

Juniper Mist AP onboarding big picture An access point in the field connects up to the Mist cloud where it is claimed into an organization, placed in a site, and configured by a device profile, after which it shows as connected. Ownership flows up · Config flows down Juniper Mist Cloud Org · Site · Device Profile · Marvis AI ep-terminator.<region>.mist.com ① Claim code → org ② ZTP config profile → AP AP New AP PoE · DHCP · DNS PoE switch supplies power DHCP gives IP + DNS + GW Firewall: outbound TCP 443
Big picture: a claim code binds the AP to your org (up), then ZTP pushes config down — but only if PoE, DHCP/DNS and an outbound HTTPS path are healthy.
Config / healthy path Cloud / AP / claim node Firewall / failure boundary Warning / watch step
🎫
Claim code
tap to flip

A per-device code (also a QR) on the rear of the AP. Claims one AP into your org. Perfect for a single AP or a small site.

📦
Activation code
tap to flip

One code that claims many APs at once. Juniper sends it with your purchase-order (PO) info. The bulk-deploy default.

🏢
Site
tap to flip

A physical location in Mist. A claimed AP must be assigned to a site to inherit that site's templates and go live.

🧩
Device profile
tap to flip

A reusable config bundle (radios, LEDs, WLAN templates) you push to a group of like APs — assignable right inside the claim modal.

① Claim vs Activate — one AP or a hundred?

Two codes, one job: telling Mist "these are mine." If you bought a single AP, use the little code on the back. If a big box of APs arrived, your order email has one master code that grabs them all in a single step.

To manage any AP you must claim it. You use either a claim code or an activation code. A claim code (and matching QR) is printed on the rear of each AP and claims that single unit. An activation code arrives alongside your PO and claims all the APs on that order at once. Rule of thumb: one AP → claim code, a shipment → activation code.

Both codes resolve, on Juniper's back end, to a set of device serials registered to your Mist org. The activation code is really just a phone-home token tied to the order; when an AP from that order boots and reaches the cloud, the org adoption happens automatically (true ZTP). The claim code is the manual equivalent for ad-hoc units. Either way, the trust anchor is the device serial — not the network it's plugged into.

Claim code versus activation code comparison A side-by-side comparison of the single-AP claim code and the bulk activation code across source, scope, where it is found, and the best use case. Claim code vs Activation code Scope Where Comes from Best use 🎫 Claim code 📦 Activation code One AP (single unit) Many APs at once Label + QR on AP rear Your order email / PO Printed per device Tied to a purchase order Spare / single-AP site Bulk rollout (shipment)
Cheat-sheet: the four differences that decide claim code vs activation code. Screenshot it.
War story · Priya at an Infosys campus Priya is rolling out 60 new APs across a Pune campus. She tries to type each rear-panel claim code by hand into the dashboard — 40 minutes in, two are mistyped and rejected. Her lead points to the PO email: one activation code claims all 60 in a single field. Lesson: at scale, the per-AP claim code is the slow path. Reach for the activation code.

Pause & predict: a colleague has one spare AP from a drawer (no PO) to add to a live site. Claim code or activation code?

Claim code. The activation code is tied to a purchase order; a loose drawer AP has no associated PO token to ride. Flip the AP over, read (or scan) the claim/QR code on the rear, and claim that single unit. Then assign it to the site and, ideally, a device profile.
Quick check · Q1 of 10 · Remember

Where is the per-device claim code (and its QR code) physically located on a Juniper Mist AP?

Correct: b. The claim code and its QR live on a label on the rear of the AP — that's what you scan with the Mist AI app or type into the web claim flow for a single unit. The activation code (option d-ish, but actually one code for the whole order) is what comes by email with your PO for bulk claiming.

② Onboard the AP — mobile QR or web browser

Two ways to do it: point your phone's Mist app at the QR code on the AP, or open the website on a laptop and paste the code. Both end the same way — the AP shows up on your screen and you drop it onto a floor plan.

Mist gives you two onboarding paths. Mobile: the Mist AI app scans the AP's QR, claims it, assigns the site, lets you rename it, and place it on the floor plan — great for one or a handful while you're physically on site. Web: in the dashboard go to Organization → Inventory → Claim APs, paste a claim or activation code, tick Assign claimed APs to site, and optionally tick Assign claimed APs to device profile. The web path is the bulk path.

The two paths converge on the same inventory record. The decision is operational, not technical: mobile gives you on-the-spot physical placement (you scan the AP you're literally holding, so floor-plan accuracy is high), while web lets you pre-stage the whole org before any hardware lands. Mature shops claim in bulk by activation code via web, pre-assign sites and device profiles, and let ZTP finish the job when each AP powers on.

Web dashboard — claim several APs at once (Organization → Inventory → Claim APs) 
Codes (one per line):
  ABC12-DEF34-GH567        # rear-panel claim code, AP #1
  JKL89-MNP01-QR234        # rear-panel claim code, AP #2
  TC-ACTIVATE-PUNE-2026    # activation code from the PO (claims the rest)
[x] Assign claimed APs to site:            Pune-HQ-Floor3
[x] Assign claimed APs to device profile:  AP-Office-Standard
Expected output (Inventory after claim) 
3 codes accepted · 14 APs claimed
Status:  Claimed → Assigned (site: Pune-HQ-Floor3)
Profile: AP-Office-Standard applied to 14 APs
Next:    APs show "Disconnected" until they power on and reach the cloud
Symptom: AP claimed but shows "Unassigned" forever

What you see: the AP is in Inventory but never appears on any site's AP list, and no config reaches it. Cause: claiming proves ownership only — it does not place the AP on a site. An AP with no site assignment inherits no templates and stays inert. Fix: select the AP in Inventory and Assign to Site (or tick the assign-to-site box during claim). Always claim and assign.

▶ Watch a single AP get onboarded

Click Play. Each stage lights up as the AP moves from "boxed" to "Connected" on the cloud.

① SCAN / PASTE Tech scans the rear QR with the Mist AI app (or pastes the claim code on the web)
② CLAIM Mist binds the AP serial to your organization — ownership proven
③ ASSIGN AP assigned to site Pune-HQ-Floor3 + device profile AP-Office-Standard
④ POWER ON AP powered over PoE on switchport; LED begins green/yellow connect blink
⑤ CLOUD CONNECT AP gets DHCP 10.20.5.41, resolves cloud FQDN, opens HTTPS to the cloud
⑥ CONNECTED Config pulled from device profile; status flips to Connected, solid green LED
Press Play to step through onboarding. Each press of Next advances one stage.
Quick check · Q2 of 10 · Apply

Rahul at a TCS branch claims 12 APs by activation code on the web dashboard but forgets to tick "Assign claimed APs to site." The APs power on and reach the cloud. What does he see, and why?

Correct: a. Claiming and site assignment are separate steps. The 12 APs are owned and may even reach the cloud, but without a site they inherit no WLAN templates or RF config, so they sit Unassigned and serve nothing. Rahul selects them in Inventory and assigns the site; config then flows. The activation code never carries a site (rules out d/c), and assignment isn't mandatory at claim time (rules out b).

③ Device profiles + ZTP — config that arrives before you do

A device profile is a "starter pack" of settings. Instead of setting up every AP by hand, you make the pack once and stamp it on a whole group. New AP joins, gets stamped, ready to go.

A device profile sends one consistent config to a group of like APs across sites — radio settings, LED behaviour, and one or more WLAN templates. Because you can tick "assign to device profile" right in the claim modal, an AP can be fully configured the moment it phones home. That's the heart of ZTP: power on → DHCP → resolve cloud → pull profile → live. No staging bench, no console cable.

Mist config is a precedence hierarchy: Org → Site → Device Profile → per-AP override. RRM/RF can come from an RF template, a device profile, or per-AP; if you set none, you must configure radios on each AP individually — which defeats scale. The design pattern is to encode the 80% common case in a device profile (e.g. AP-Office-Standard), keep exceptions as per-AP overrides, and let ZTP apply the profile automatically at first contact. One profile change then re-provisions every AP in scope.

Mist config precedence and device profile fan-out Configuration inherits from organization to site to device profile to individual AP override, and one device profile pushes the same config to many access points. Config precedence · then fan-out Organization (broadest) Site Device Profile Per-AP override (wins) More specific overrides broader. Device ProfileAP-Office-Standard AP · Floor 1 AP · Floor 2 AP · Floor 3 AP · Branch One profile → many APs, even across sites. Set radios in a profile or RF template — otherwise you must configure every AP by hand.
Config precedence (left) and the device-profile fan-out (right): change the profile once, every AP in scope re-provisions.

▶ Zero-Touch Provisioning — greenfield AP boot

A factory-fresh AP, already claimed by activation code, powers on and provisions itself. No human on the keyboard.

① POE BOOT AP draws power over PoE from the switch; LED starts the boot/connect blink
② DHCP AP requests an address → gets 10.20.5.41 + DNS server + default gateway
③ DNS AP resolves the cloud terminator ep-terminator.<region>.mist.com
④ HTTPS AP opens an outbound TCP 443 session to the cloud and authenticates by serial
⑤ ADOPT + CONFIG Cloud matches the activation-code org, applies site + device profile, pushes firmware/config
⑥ LIVE SSIDs go on air; dashboard status = Connected, solid green LED. Zero touches on site.
Watch where ZTP can stall: stage 2 (DHCP), stage 3 (DNS) and stage 4 (firewall) are the three classic failure gates.

Pause & predict: you change one radio-band setting in the AP-Office-Standard device profile. How many APs re-provision, and do you touch any of them?

Every AP in the profile's scope — and you touch none. That's the whole point of a device profile: one edit fans out to all assigned APs via the cloud. The APs pull the change on their next config sync. This is also why a careless profile edit can ripple network-wide — change windows matter at scale.
Quick check · Q3 of 10 · Apply

A greenfield AP is claimed by activation code and powers on, but you set no device profile, no site template, and no per-AP radio config. What happens to its radio settings?

Correct: c. RF templates and device profiles are both optional; if you configure neither, radio management defaults to per-AP. The AP still connects (rules out a), it doesn't clone neighbours (b), and radios aren't bricked (d) — you just lose the scale benefit and must touch each AP. That's exactly why device profiles exist.

④ Troubleshoot — "AP won't connect" playbook

If the AP won't come online, the little light on it is basically Morse code for the problem. Count the yellow blinks and you instantly know whether it's a power, IP, gateway or cloud issue.

The AP has a single status LED that blinks out error codes. Read it first, then walk the path. 2 yellow blinks = a layer-2 issue on the switch/AP link. 3 yellow = no IP from DHCP. 5 yellow = got a gateway but can't reach it. A steady green/yellow connect pattern means it's reaching the cloud. If the LED is healthy but it still won't connect, suspect DNS or the firewall — the AP must resolve and reach ep-terminator.<region>.mist.com outbound.

Diagnose by isolating the ZTP stages. Power (PoE), L2 link, DHCP (IP+DNS+GW), DNS resolution of the terminator FQDN, then outbound HTTPS. Because the cloud terminator IPs change, firewall rules must be FQDN-based, not IP-pinned. APs need outbound TCP 443 as the primary channel; Juniper also recommends opening UDP 443 and TCP 80. No inbound rule is required — the AP always initiates the session. If L2/DHCP are clean but the cloud is unreachable, it's almost always DNS or a firewall blocking 443 to the terminator.

AP won't connect decision tree A troubleshooting decision tree that branches from the AP status LED blink count and connectivity checks to the most likely root cause for a stuck onboard. "AP won't connect" — start at the LED Read the status LED 2 yellow blinksL2 issue on switch/AP Check switchport, VLAN,cable, PoE class 3 yellow blinksNo DHCP IP Check DHCP scope, VLANhelper, static config 5 yellow blinksGW found, unreachable Check gateway / routing/ subnet mask LED OK, no cloudL2/DHCP fine Suspect DNS or firewallResolve ep-terminator,open outbound TCP 443 Golden rule Firewall rules to the cloud must be FQDN-based — terminator IPs change. AP always initiates outbound. Walk the ZTP stages in order: Power → L2 → DHCP → DNS → HTTPS.
Decision tree: the LED tells you which ZTP stage failed; a healthy LED but no cloud points at DNS or the firewall.
2 yellow blinks
tap

Layer-2 problem on the switch or AP link. Check the switchport config, VLAN, cabling and PoE before anything else.

3 yellow blinks
tap

No DHCP IP. The AP couldn't fetch an address from DHCP (or its static config). Check the scope, VLAN and DHCP helper.

5 yellow blinks
tap

Gateway unreachable. A default gateway was learned but the AP can't reach it. Check routing, gateway IP and subnet mask.

🌐
LED OK, no cloud
tap

L2/DHCP healthy but still disconnected → DNS or firewall. The AP must resolve and reach ep-terminator on outbound TCP 443.

Prove the path from a host on the AP's VLAN (DNS + reachability) 
$ nslookup ep-terminator.gc1.mist.com 10.20.5.2
$ curl -sv https://ep-terminator.gc1.mist.com 2>&1 | head -n 4
Expected output 
Server:   10.20.5.2
Name:     ep-terminator.gc1.mist.com
Address:  34.x.x.x          (IP varies — use FQDN firewall rules, not this)

*  Trying 34.x.x.x:443...
*  Connected to ep-terminator.gc1.mist.com (34.x.x.x) port 443
*  TLS handshake, TLSv1.2/1.3
*  SSL connection using TLS_AES_256_GCM_SHA384      # path to cloud is open
Three fixes for "healthy LED, never connects"

1. Open outbound TCP 443 from the AP VLAN to the Mist terminators (also recommended: UDP 443 + TCP 80). No inbound rule needed — the AP initiates. 2. Use FQDN-based firewall rules for the terminators — their IPs change, so IP-pinned rules silently break after a cloud move. 3. Confirm DNS works on the AP's VLAN; if the AP gets an IP (LED healthy) but can't resolve ep-terminator.<region>.mist.com, fix the DHCP-provided DNS server first.

War story · Sneha at an HCL branch site Sneha deploys 8 APs at a new branch. Seven go green; one shows a healthy connect blink but stays Disconnected on the cloud. L2 and DHCP check out. The culprit: the branch firewall allowed the cloud by a hard-coded IP from last quarter, and Juniper had rotated the terminator IP. She swaps the rule to the *.mist.com terminator FQDN and the eighth AP connects in seconds. Pin FQDNs, not IPs.

Pause & predict: an AP blinks 3 yellow. Before you blame the cloud or the firewall, what is the actual problem?

No DHCP IP — it never even got onto the network. Three yellow blinks means the AP couldn't fetch an address from DHCP (or its static config). Cloud reachability and firewall ports are irrelevant until the AP has an IP. Fix the DHCP scope / VLAN / helper-address first, then re-check.
Symptom: AP connects, then drops in a loop after firmware push

What you see: the AP reaches Connected, downloads firmware, reboots, and the cycle repeats. Cause is usually power, not cloud: an underpowered PoE port (wrong PoE class/budget) can't sustain the AP through a firmware upgrade, so it brown-outs and reboots. Verify the switchport supplies the AP's rated PoE class on a Mist-supported switch, then let the upgrade complete.

▶ Diagnosis ladder — isolate the failed stage

Walk the same path the AP walks. Stop at the first stage that fails — that's your root cause.

① POWER Is the LED on at all? PoE budget + class correct on the switchport?
② L2 LINK 2 yellow? Check switchport/VLAN/cable. The AP isn't even on the LAN yet.
③ DHCP 3 yellow? No IP. Fix DHCP scope/VLAN/helper. Expect 10.20.5.41 + DNS + GW.
④ GATEWAY 5 yellow? GW learned but unreachable. Check routing + subnet mask.
⑤ DNS Resolve ep-terminator.<region>.mist.com? If not, fix the DNS server.
⑥ HTTPS 443 Outbound TCP 443 to the terminator open (FQDN rule)? Then it Connects.
The first stage that fails is your fix. Don't open firewall tickets for an AP that never got DHCP.
Security note — keep the management plane patched

Onboarding is an internet-facing-by-design flow, so firmware hygiene matters. Juniper has shipped serious advisories across the platform — for example the WAN Assurance / Session Smart API authentication-bypass (CVE-2025-21589) and the AP-relevant FragAttacks (CVE-2020-24588) frame-injection class. The takeaway for onboarding: let the cloud push current firmware as part of ZTP, subscribe to Mist security alerts, and never expose management to unsolicited inbound — the AP should only ever initiate outbound to the cloud.

Quick check · Q4 of 10 · Apply

A branch AP has a healthy connect-blink LED, a valid DHCP lease and a reachable gateway, yet stays Disconnected on the cloud. Which single firewall change is most likely to fix it without new hardware?

Correct: c. L2/DHCP/GW are fine, so the failure is the path to the cloud. The AP initiates outbound (so no inbound rule — rules out a), needs TCP 443 (not 80-only — rules out b), and needs DNS working (so disabling it is wrong — rules out d). Terminator IPs rotate, so the durable fix is an FQDN-based outbound 443 rule.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer. No login, no waiting.

Pre-curated answers from Juniper Mist docs + community Q&A. For a live prod issue, share the AP's LED pattern + your DHCP/DNS/firewall facts at chat.techclick.in.

📝 Wrap-up — six more

You've already answered 4 inline. Six left. 70% (7 of 10) total marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Analyze

An onboarding tech claims 50 APs by activation code and assigns them all to site "Mumbai-DC" with device profile "AP-Office-Standard." A week later, 5 of those APs need a different SSID set than the other 45. What is the cleanest design?

Correct: b. Device profiles exist precisely to segment like-from-unlike. Carve the 5 exceptions into their own profile (or use per-AP overrides) and keep the 45 on the standard profile. Re-claiming (a) is pointless — ownership is unchanged. Deleting the profile (c) destroys the scale you built. Moving orgs (d) is a sledgehammer that breaks reporting and licensing.
Q6 · Apply

You are pre-staging an entire org before any hardware arrives on site. Which onboarding path fits best, and what do you pre-set so ZTP finishes the job hands-off?

Correct: a. The web path is the bulk/pre-stage path: claim by activation code, tick assign-to-site and assign-to-device-profile, and every AP provisions itself when it powers on. The mobile app (b) needs the physical AP in hand. Console paste (c) defeats ZTP entirely. And you can absolutely pre-set site + profile (rules out d).
Q7 · Analyze

Two APs on the same switch: AP-1 reaches Connected; AP-2 blinks 3 yellow and never gets further. They share the same uplink and firewall. Where is the fault most likely localized?

Correct: c. Since AP-1 connects over the same uplink/firewall, cloud and firewall are clearly fine (rules out a/b). 3 yellow = no DHCP IP, which happens before DNS or any cloud path, so the fault is local to AP-2's switchport/VLAN/DHCP. The activation code (d) governs ownership, not IP addressing.
Q8 · Analyze

A firewall admin allowed the Mist cloud by hard-coding the terminator's current IP address. Onboarding works for weeks, then APs at one site suddenly disconnect together with no config change on your side. Why?

Correct: b. Terminator IPs change, which is exactly why Juniper says use FQDN-based firewall rules. An IP-pinned rule works until the cloud moves, then silently drops outbound 443. Claim codes don't expire (a), simultaneous DHCP expiry across a site from nothing is implausible (c), and profiles don't self-delete (d).
Q9 · Evaluate

A junior engineer proposes: "To save time, let's skip device profiles and just configure radios on each AP individually after it connects." For a 200-AP, multi-site rollout, is this sound?

Correct: c. Per-AP config is possible but it scales terribly — 200 manual touches, drift, and no ZTP benefit. Device profiles deliberately span multiple sites (rules out b), so the right call is a profile for the common case with per-AP overrides only for exceptions. Per-AP isn't "always most precise" at scale (a), and it isn't impossible (d).
Q10 · Evaluate

A security reviewer asks you to justify the onboarding firewall posture for a new branch. Which statement best defends a secure, working design?

Correct: d. The AP initiates the session, so you need outbound 443 to the terminator FQDNs and zero inbound — least privilege that still works. Inbound-to-AP (a) needlessly exposes the management plane; disabling the firewall (b) is reckless; allowing all traffic both ways (c) is the opposite of least privilege. Pairing the tight rule with cloud-pushed firmware also closes the patch gap the advisories warn about.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".

🧠 Self-explanation — lock it in

In one or two sentences, explain to yourself: "For a single drawer AP vs a 60-AP shipment, which code do I use, and what's the one extra step after claiming so config actually flows?" Writing it in your own words is the single biggest retention booster.

👩‍🏫 Teach a friend

Explain claim-vs-activate and device-profile-ZTP to a teammate in under 60 seconds, using the "ownership flows up, config flows down" framing. If you can teach it, you own it.

🔔 Spaced-recall reminder (optional)

Want a 3-question recap mailed to you in 3 days? Spaced repetition is how this sticks for the exam. Enter your email — we only use it for this nudge.

✓ Saved on this device — we'll nudge you in 3 days.

📕 Glossary

Claim code
A per-device code (and QR) on the rear of an AP; claims a single AP into your Mist org.
Activation code
One code that claims many APs at once; delivered with your purchase-order (PO) information.
Site
A physical location in Mist; a claimed AP must be assigned to a site to inherit templates and go live.
Device profile
A reusable config bundle (radios, LEDs, WLAN templates) pushed to a group of like APs across sites.
ZTP (Zero-Touch Provisioning)
Power on → DHCP → DNS → outbound HTTPS to cloud → pull config — no manual staging.
ep-terminator
The Mist cloud endpoint FQDN an AP connects to (e.g. ep-terminator.<region>.mist.com); use FQDN firewall rules.
Mist AI mobile app
Phone app to scan an AP's QR, claim it, assign a site, name it, and place it on a floor plan.

📚 Sources

  1. Juniper Mist Docs — Claim a Juniper AP & Cloud-Ready Mist Access Points Quick Start (Step 1: Begin / Step 2: Up and Running). juniper.net/documentation & mist.com/documentation/claiming-aps.
  2. Juniper Mist Docs — Device Profiles Overview, Create a Device Profile, Using WLAN Templates in a Device Profile, RRM Configuration Options. juniper.net/documentation.
  3. Juniper Mist Docs — Onboarding ZTP/Greenfield Devices & AI-Driven Wired/Wireless Network Deployment Guide. mist.com/documentation.
  4. Community / practitioner — Mist & Juniper community: AP Unable to Reach the Mist Cloud?, What is the LED telling me?, Troubleshooting AP Disconnect Issues; r/networking ZTP threads. mist.com/documentation & community discussions.
  5. Juniper Security — API Authentication Bypass (CVE-2025-21589, WAN Assurance / Session Smart) & Mist Security Advisory — FragAttacks (CVE-2020-24588). supportportal.juniper.net & mist.com/documentation security alerts.
  6. Juniper Certification — Mist AI, Associate (JNCIA-MistAI, JN0-253) & Mist AI Specialist (JNCIS-MistAI, JN0-451) blueprints: AP provisioning & configuration, ZTP and onboarding. juniper.net/training/certification.

What's next?

Your APs are claimed, profiled and on air — now make the radios smart. Next we tune the RF: how Mist's auto-RF plans channels and power, the coverage-vs-capacity trade-off, and how RF templates push consistent radio policy across sites.

Next · Juniper Mist RF & RRM — Auto RF, Coverage vs Capacity & RF Templates → ← All lessons