ExtremeCloud IQ- Site Engine & Extreme Management Center

  • 1.  NAC RADIUS certificate generation with Windows CA

    Posted 04-07-2016 14:30
    I'd like to generate a new RADIUS certificate for my NAC using my Windows CA.
    I can't find my notes from 2 years ago and stuck again - I had a hard time last time to get it right.
    Anyone that could share a step by step guide.

    So far I've done the following..
    - ssh to the NAC
    openssl genrsa 2048 | openssl pkcs8 -topk8 -out nacvienna.key
    openssl req -new -reqexts server_auth -key nacvienna.key -out nacvienna.csr

    On my windows CA open a browser to generate the user cerificate.
    But I'm not sure on which format and how to export it.

    Thanks,
    Ron


  • 2.  RE: NAC RADIUS certificate generation with Windows CA

    Posted 04-07-2016 16:04
    Hi Ron,

    Some of this information is in NetSight's Help, so here are two articles you can review, albeit it looks like you went through these steps already:

    https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Generate-A-Certificate-Signing-Requ...

    https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Update-NAC-Internal-Communications-...

    As for the Windows CA, your certificate enrollment looks to be web enrollment. You need to make sure the templates are listed there that will provide the EKU needed for RADIUS. What do you see there for cert templates? The required EKU's are listed in the Help and I believe in the articles above. These pertain to PEAP vs TLS for example.

    Regards,
    Scott Keene


  • 3.  RE: NAC RADIUS certificate generation with Windows CA

    Posted 04-07-2016 16:44
    Hi Ron,

    A little addition to Scott's post.

    For your RADIUS Server you need a server certificate Template on your Windows CA with the Extended Key Usage "ServerAuth" (e.g. Web Server). I assume the CA is running as an Enterprise CA (Active Directory integrated). As format use Base64.

    Web Enrollment Interface: https://


  • 4.  RE: NAC RADIUS certificate generation with Windows CA

    Posted 04-08-2016 12:24
    We just went through this process a month ago. Here is our documented steps:

    Generate a server private key
    Login as root to NAC using putty. Run the following two commands:

    openssl genrsa 2048 | openssl pkcs8 -topk8 -out server.key
    openssl req -new -reqexts server_auth -key server.key -out server.csr

    Create a certificate signing request
    Using WinSCP, login using root. Copy the server.csr and server.key file to your local computer from the NAC.
    • Open your browser and go to http:///certsrv/
    • Request a certificate
    • Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.