03-20-2023 04:33 AM
About to start looking for other solutions now.
We have been using ExtremeControl for some years for .1x logon with both wireless and wired network.
But now we are moving towards AzureAD (currently hybrid). So for now we see a lot of problems with
logins.
1: AzureAD joined PC's are not visible to the NAC.
2: UserAuth works, but it is far from flawless. (had to install NPS proxy because of UPN)
3: Intune plugin is useless because it only does mac-auth based on the wifi mac address on the device. so there will be no workable wired auth. (apart from userAuth).
This has been a problem now since 2019. What are ExtremeNetworks going to do with this ?
Has anybody found a good soloution on this problem ? (I see that sombody asked question as early as 2018)
03-20-2023 07:08 PM
A3 supports Azure AD password authentication, but it requires disabling MFA.
Certificates issued by Intune are the best solution (to do EAP-TLS auth), but requires an external CA. AD CS is an option, but SCEPman or SecureW2 are what I often see. PackefFence (which A3 is based on) has Intune integration with its internal CA, but A3 hasn't picked up that feature.
03-20-2023 06:44 AM
There are many flavors of 802.1X.
03-21-2023 01:31 AM
Problem with PEAP /Local AD is that upn is not supported and i've also seen other users having problem with authentication. And as you said. NPS Might be a solution. But in my experience the devices tend to try to authenticate with host/xxx instead of user/xxx and then the user does not get access.
EAP-TLS might be a solution, but then that will only give us the host-id (And it will require a step in installing dev-certs to azure ad joined devices before they are present on network ) .
When will the EAP TTLS/PAP solution be ready, and what will it require of the azure account ? E3/E5 ?
03-21-2023 08:35 AM
You can do EAP-TLS with user certificates. There is the question of how to get the user certificate on the device that hasn't joined the network yet, there are a few different ways of doing this - wired network, onboarding wifi network.
If you have XIQ NAC licenses, you can move some to A3, that will let you do EAP-TTLS/PAP today. You need Azure AD P1 to disable MFA selectively, otherwise you have to disable all MFA (which is not a good idea IMHO).