Header Only - DO NOT REMOVE - Extreme Networks
Question

Multiple domains and CAs Extreme Control

  • 7 November 2019
  • 4 replies
  • 169 views

Was wondering if Extreme Control can import multiple certificates from different CAs in different domains. If I have 2 tenants on the same network infrastructure including the access switch.

Both domains have separate Windows CA servers, how does this work with EAP Authentication ? As far as I can see you cannot use EAP authentication on multiple system certificates. The first domain (employee domain) is already set up with System certificates signed by the CA in the domain and has a working 802.1x wireless network with EAP certificate authentication. How do I set up the same for the other domain (student domain) which has a separate CA Server ?

For me it seems EAP Authentication only works in multiple domains if the same CA server is used in all the domains, but i cannot find any documentation that confirms or denies this. How do I set this up?


4 replies

Userlevel 6

Hello Jay,

You can’t import multiple RADIUS server certificates to a single appliance at this time.

You could spin up a couple additional control appliances, put them in the same appliance group and have the 2nd domain point to the new Control appliances that have the appropriate RADIUS certificate installed. 

I have brought this up with development recently and we’re currently looking into it.

 

Thanks

-Ryan

Userlevel 2
Badge

as far as i know, you should not need multiple Radius certs for this..

  1. You need to add the student-domain certs to “trusted authorities” in XMC/NAC
  2. you need to trust radius-certs of employee-domain in student-domain

that should be enough, but I never try it and if 2. is possible due to company-policys

Hello Jay,

You can’t import multiple RADIUS server certificates to a single appliance at this time.

You could spin up a couple additional control appliances, put them in the same appliance group and have the 2nd domain point to the new Control appliances that have the appropriate RADIUS certificate installed. 

I have brought this up with development recently and we’re currently looking into it.

 

Thanks

-Ryan

Thanks for the reply.

 

How would that look at the switch level, if I am using the same access switch for both domains? The switch is pointing to specific NAC servers and they only have one cert on them.

Userlevel 6

Hello Jay,

 

If you’re using the same access switch for both domains then I don’t think that scenario would work. You would have to physically separate the domains from the switch access level in order to point to different RADIUS servers.

 

I’m assuming that in your environment you have two domains attempting to authenticate using the same access switch.

 

The mechanisms to deploy another RADIUS server certificate do not exist in the product currently. 

 

What you could do is put the appliance into a proxy RADIUS configuration rather than NTLM authentication and proxy the RADIUS to NPS server for the appropriate domain. AAA rules would be set up as:

domain1\* → Proxy to domain NPS server

domain2\* → Proxy to domain 2 NPS server

 

The other options you have are to install the CA root certificate that generated the RADIUS certificate to all devices in both domains, or to get a RADIUS certificate signed by a commercial authority.  

 

Thanks

-Ryan

Reply