https://community.extremenetworks.com/t5/extremecloud-iq/is-it-possible-to-allow-only-devices-with-certificates-to/m-p/71384#M1136 <P>We have corporate SSID configured with 802.1x and most of our company assets have a certificate that allows them to connect. But, anyone with AD credentials can connect using their username/password on devices without a cert installed.&nbsp; &nbsp; &nbsp;We want to require a certificate on the device in order for it to be able to connect to the corporate SSID.&nbsp; We’ve had issues with users connecting personal devices using their username/password and we want to prevent this.</P> Fri, 16 Jul 2021 23:32:16 GMT gshipp 2021-07-16T23:32:16Z https://community.extremenetworks.com/t5/extremecloud-iq/is-it-possible-to-allow-only-devices-with-certificates-to/m-p/71384#M1136 <P>We have corporate SSID configured with 802.1x and most of our company assets have a certificate that allows them to connect. But, anyone with AD credentials can connect using their username/password on devices without a cert installed.&nbsp; &nbsp; &nbsp;We want to require a certificate on the device in order for it to be able to connect to the corporate SSID.&nbsp; We’ve had issues with users connecting personal devices using their username/password and we want to prevent this.</P> Fri, 16 Jul 2021 23:32:16 GMT https://community.extremenetworks.com/t5/extremecloud-iq/is-it-possible-to-allow-only-devices-with-certificates-to/m-p/71384#M1136 gshipp 2021-07-16T23:32:16Z https://community.extremenetworks.com/t5/extremecloud-iq/is-it-possible-to-allow-only-devices-with-certificates-to/m-p/71385#M1137 <P>Hi,</P><P>&nbsp;</P><P>I can’t recall if built-in XIQ RADIUS can work with EAP-TLS but you can always force XIQ APs to forward auth requests to your NAC/RADIUS server (like NPS or EAC or any other) and over there you’ll have to allow only EAP-TLS and not PEAP if you don’t want to permit user credentials to be allowed.</P><P>&nbsp;</P><P>Hope that helps,</P><P>Tomasz</P> Sat, 24 Jul 2021 02:22:52 GMT https://community.extremenetworks.com/t5/extremecloud-iq/is-it-possible-to-allow-only-devices-with-certificates-to/m-p/71385#M1137 Tomasz 2021-07-24T02:22:52Z https://community.extremenetworks.com/t5/extremecloud-iq/is-it-possible-to-allow-only-devices-with-certificates-to/m-p/71386#M1138 <P>Hi <USER-MENTION data-id="6884494">@Tomasz</USER-MENTION>&nbsp;</P><P>I’ve the same issue. Anyone with their AD credential they can login to personal device as well. How to prevent this personal device login over AD credential? They only want to allow corporate device.</P><P>We can control via the MAC based filter but they more than 3500 devices.</P> Wed, 11 Aug 2021 11:49:43 GMT https://community.extremenetworks.com/t5/extremecloud-iq/is-it-possible-to-allow-only-devices-with-certificates-to/m-p/71386#M1138 Prashath 2021-08-11T11:49:43Z https://community.extremenetworks.com/t5/extremecloud-iq/is-it-possible-to-allow-only-devices-with-certificates-to/m-p/71387#M1139 <P>Hi Prashath,</P><P>&nbsp;</P><P>Well, host-based auth with certificates (EAP-TLS) seem to be an option here.</P><P>Otherwise, in case of user-based auth you will have to have some other way to verify if the device is corporate or not.</P><P>If we used Extreme Access Control, there should be an option to import a list of MAC addresses. I didn’t try to create End-system group that big though (but worth trying if host-based auth is not possible).</P><P>&nbsp;</P><P>Hope that helps,</P><P>Tomasz</P> Thu, 12 Aug 2021 04:13:36 GMT https://community.extremenetworks.com/t5/extremecloud-iq/is-it-possible-to-allow-only-devices-with-certificates-to/m-p/71387#M1139 Tomasz 2021-08-12T04:13:36Z