cancel
Showing results for 
Search instead for 
Did you mean: 

AzureAd and dot1X

AzureAd and dot1X

faste
New Contributor II

About to start looking for other solutions now.

We have been using ExtremeControl for some years for .1x logon with both wireless and wired network.

But now we are moving towards AzureAD  (currently hybrid). So for now we see a lot of problems with

logins. 

1: AzureAD joined PC's are not visible to the NAC.

2: UserAuth works, but it is far from flawless. (had to install NPS proxy because of UPN)

3: Intune plugin is useless because it only does mac-auth based on the wifi mac address on the device. so there will be no workable wired auth. (apart from userAuth).

This has been a problem now since 2019. What are ExtremeNetworks going to do with this ?

Has anybody found a good soloution on this problem ? (I see that sombody asked question as early as 2018)

 

4 REPLIES 4

James_A
Valued Contributor

A3 supports Azure AD password authentication, but it requires disabling MFA.

Certificates issued by Intune are the best solution (to do EAP-TLS auth), but requires an external CA. AD CS is an option, but SCEPman or SecureW2 are what I often see. PackefFence (which A3 is based on) has Intune integration with its internal CA, but A3 hasn't picked up that feature.

Zdeněk_Pala
Extreme Employee

There are many flavors of 802.1X.

  • EAP-TLS can still be used with Azure, certificates are independent of Azure.
  • The PEAP with MsChapv2 can not be used with Azure cloud as NTLM is not supported there and NTLM can not be translated to SAML/API calls.
  • If customers want to use PEAP, they deploy local AD with Azure connector to synchronize. Local AD can be used for NTLM or NPS.
  • We are investigating EAP-TTLS with PAP option as it can be used with Azure cloud as the password can be translated to SAML/API calls to Azure. This is not available with the current version of ExtremeControl.

 

Regards Zdeněk Pala

faste
New Contributor II

Problem with PEAP /Local AD is that upn is not supported and i've also seen other users having problem with authentication. And as you said. NPS Might be a solution. But in my experience the devices tend to try to authenticate with host/xxx instead of user/xxx and then the user does not get access.

EAP-TLS might be a solution, but then that will only give us the host-id (And it will require a step in installing dev-certs to azure ad joined devices before they are present on network ) .

When will the EAP TTLS/PAP solution be ready, and what will it require of the azure account ? E3/E5 ? 

James_A
Valued Contributor

You can do EAP-TLS with user certificates. There is the question of how to get the user certificate on the device that hasn't joined the network yet, there are a few different ways of doing this - wired network, onboarding wifi network.

If you have XIQ NAC licenses, you can move some to A3, that will let you do EAP-TTLS/PAP today. You need Azure AD P1 to disable MFA selectively, otherwise you have to disable all MFA (which is not a good idea IMHO).

GTM-P2G8KFN