topic Re: XIQ SE and Windows 11 Authentication EAP TLS in ExtremeCloud IQ- Site Engine Management Center

XIQ SE and Windows 11 Authentication EAP TLS

ExtremeNewbie — Thu, 13 Mar 2025 11:36:39 GMT

Hello Community,

We have upgraded from Win 10 to Win 11 and are currently using EAP PEAP as the 802.1x authentication method. I was told this would no longer work with Win 11 and we would need to implement EAP TLS. I understand EAP TLS is not available for the version of XIQ SE we have - 23.4.12.3.

However, I believe later version of XIQ SE support EAP TLS. If this is not the case please let me know. Could anyone let me know which minimum version of XIQ SE supports EAP TLS for XIQ SE and will I need a root certificate to be installed on XIQ SE and the NAC devices?

Is there a guide or similar I could use to Implement EAP TLS?

Currently, we use the built in 802.1x authentication via a LDAP server. This I believe supports MsCHAP, PEAP and EAP-MsCHAPV2 only.

Many Thanks,

Re: XIQ SE and Windows 11 Authentication EAP TLS

Zdeněk_Pala — Thu, 13 Mar 2025 12:27:12 GMT

Hi Asifi,

PEAP is available in Windows 11:

EAP-TLS is available since the beginning of XIQ-SE. Documentation: https://emc.extremenetworks.com/content/search.htm?q=eap-tls

Anyway, I heavily recommend upgrading to recent version of XIQ-SE because of new features and security patches.

Sincerely yours

Zdenek

Re: XIQ SE and Windows 11 Authentication EAP TLS

Robert_Zdzieblo — Thu, 13 Mar 2025 12:30:33 GMT

Hi Asifi,

Any version of XIQ-SE supports EAP-TLS.

If you want EAP-PEAP to be still supported in Windows 11 clients, you will probably need to disable Credential Guard feature.

These links might be useful:

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000100238&q=windows%2011%20802%201x

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=intune

However, using EAP-TLS is a way better than EAP-PEAP in terms of security.

REGARDS, Robert

Re: XIQ SE and Windows 11 Authentication EAP TLS

ExtremeNewbie — Thu, 13 Mar 2025 12:55:29 GMT

@Robert_Zdzieblo @Zdeněk_Pala - thanks both, that is interesting. I will upgrade - which version do you recommend from my current version? I know somewhere down the line the upgrade involves a new VM creation and backup/restore of the database. Which version can I go to without creating a new VM?

Secondly, if I go with EAP TLS - I need a Root certificate on XIQ SE and the NAC's?

Any documentation for this?

Many thanks,

Re: XIQ SE and Windows 11 Authentication EAP TLS

Bartek — Thu, 13 Mar 2025 12:55:55 GMT

Hi,

If you are working with AD environment, then I would recommend deploying at least one NPS server (o even two for redundancy) to handle RADIUS authentication with NAC and keep LDAP integration just for checking user attributes for applying correct network authorization.

NTLM protocol used by NAC for local RADIUS termination is somehow deprecated by Microsoft (https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features)

Re: XIQ SE and Windows 11 Authentication EAP TLS

ExtremeNewbie — Thu, 13 Mar 2025 13:10:28 GMT

@Bartek - we use an NPS to authenticate our Extreme AP users. However, in this case I am talking about our end user devices so PC's/tablets/laptops etc. Are you suggesting using NPS for the end devices too?

Thanks,

Re: XIQ SE and Windows 11 Authentication EAP TLS

Robert_Zdzieblo — Thu, 13 Mar 2025 13:24:12 GMT

Asifi,

I think you can't avoid migration during XIQ-SE upgrade to current version. There is stepped upgrade path from your version and during upgrade to 24.7 there is migration required between 2 VMs - all info can be found in XIQ-SE Release Notes.

Regarding the certificate - you'll need your CA signed certificates on NAC gateways, but not necessarily on XIQ-SE itself.

REGARDS, Robert

Re: XIQ SE and Windows 11 Authentication EAP TLS

ExtremeNewbie — Thu, 13 Mar 2025 13:34:25 GMT

@Robert_Zdzieblo - thank you for confirming. Can I update the existing authentication to use EP TLS or will this require new rules?

Thanks,

Re: XIQ SE and Windows 11 Authentication EAP TLS

ExtremeNewbie — Thu, 13 Mar 2025 15:16:47 GMT

Hi All, will I need a pfx or cer certificate for the NAC's?

Thanks,

Re: XIQ SE and Windows 11 Authentication EAP TLS

Markus_Nikulski — Thu, 13 Mar 2025 15:23:58 GMT

PEAP-MSCAP is still supported with Windows 11. More and more customer moving to EntraID replacing the classical Active Directory we know since many years. Using EAP-TLS is a good alternative if you know how to deal with client certificates in regards auto enrollment and live cycle management. Just make sure the client have certificate with "enhance key usage" = "Client Authentication" and select the certificates in the Windows 11 plus the corresponding root CA certificate to be able to validate the incoming Radius server certificate like you should have already with PEAP-xxx.

Re: XIQ SE and Windows 11 Authentication EAP TLS

Markus_Nikulski — Thu, 13 Mar 2025 15:25:09 GMT

the pfx extension indicate is a PLCS12 formatted data. Yes it can be used to deploy the certificate for the Radius server.

Re: XIQ SE and Windows 11 Authentication EAP TLS

Markus_Nikulski — Thu, 13 Mar 2025 15:26:53 GMT

we don't promote the NPS servie because we have XIQ-SE NAC scaling much better and have a enterprise great NAC solution.

Re: XIQ SE and Windows 11 Authentication EAP TLS

ExtremeNewbie — Thu, 13 Mar 2025 15:56:51 GMT

@Markus_Nikulski - Thanks Marcus, we use an LDAP server for user and machine authentication. PFX still ok?

Thanks,

Re: XIQ SE and Windows 11 Authentication EAP TLS

Markus_Nikulski — Thu, 13 Mar 2025 16:15:00 GMT

yes, it will work for group membership lookup. The user authentication is part of the offline certificate validation.

Re: XIQ SE and Windows 11 Authentication EAP TLS

Bartek — Thu, 13 Mar 2025 19:50:43 GMT

@Markus_Nikulski I'm not promoting NPS as NAC but as RADIUS server for Extreme Access Control (so Extreme NAC is used as RADIUS Proxy). IMO NTLM integration with AD environment is somehow not as reliable as RADIUS-based integration

SWITCH/AP <---> Extreme Control <----> NPS (RADIUS) + AD (LDAP)

Re: XIQ SE and Windows 11 Authentication EAP TLS

Bartek — Thu, 13 Mar 2025 19:59:21 GMT

I'm suggesting integrating Extreme Control with on-prem AD environment using RADIUS protocol for user authentication (it's called RADIUS Proxy mode) and LDAP for checking user access permissions:

SWITCH/AP <---> Extreme Control <----> NPS (RADIUS) + AD (LDAP)

Re: XIQ SE and Windows 11 Authentication EAP TLS

SebBinet — Fri, 14 Mar 2025 12:47:30 GMT

As mentioned by others, any XIQ-SE/NAC version support EAP-TLS.
You'll need server certificate issued by your CA for the NAC appliance/VM but not for XIQ-SE.

Only NAC appliance are RADIUS Server and will use server certificate to be validated by your Windows 11 devices.

Even if Windows 11 still support PEAP (with Credential Guard disabled), never know if it'll be the case tomorrow because PEAP is deprecated because of security issues.

Re: XIQ SE and Windows 11 Authentication EAP TLS

nick533 — Sat, 15 Mar 2025 05:51:25 GMT

Any version of XIQ-SE/NAC supports EAP-TLS, as others have stated. APK Spotify Premium
Your CA's server certificate is required for the NAC appliance or virtual machine, but not for the XIQ-SE.

Only NAC appliances are RADIUS servers, and your Windows 11 devices will validate them using the server certificate.

PEAP is deprecated due to security concerns, thus even if Windows 11 currently supports it (with Credential Guard turned down), you never know if it will be the case tomorrow.

Re: XIQ SE and Windows 11 Authentication EAP TLS

ExtremeNewbie — Mon, 17 Mar 2025 15:18:54 GMT

Thanks everyone - lots to ponder and think about.

My last question - we have a wildcard certificate already in use and verified by a CA. Can we use this as the device cert on the NAC's as this already chains back to out PKI root without having to raise a new CSR and getting this verified by a CA.

Many thanks everyone.

Re: XIQ SE and Windows 11 Authentication EAP TLS

Robert_Haynes — Tue, 18 Mar 2025 12:34:05 GMT

We do not permit / advise the use of a wildcard certificate for the RADIUS server certificate for backwards compatibility with clients and 802.1x supplicant configurations that simply do not support it.

A RADIUS server cert w/ multiple SANs (FQDNs) is recommended.

Wildcard certificate is compatible with Captive Portal/Web use purposes.