- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-13-2025 04:36 AM
Hello Community,
We have upgraded from Win 10 to Win 11 and are currently using EAP PEAP as the 802.1x authentication method. I was told this would no longer work with Win 11 and we would need to implement EAP TLS. I understand EAP TLS is not available for the version of XIQ SE we have - 23.4.12.3.
However, I believe later version of XIQ SE support EAP TLS. If this is not the case please let me know. Could anyone let me know which minimum version of XIQ SE supports EAP TLS for XIQ SE and will I need a root certificate to be installed on XIQ SE and the NAC devices?
Is there a guide or similar I could use to Implement EAP TLS?
Currently, we use the built in 802.1x authentication via a LDAP server. This I believe supports MsCHAP, PEAP and EAP-MsCHAPV2 only.
Many Thanks,
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-13-2025 05:28 AM - edited ‎03-13-2025 05:30 AM
Hi Asifi,
Any version of XIQ-SE supports EAP-TLS.
If you want EAP-PEAP to be still supported in Windows 11 clients, you will probably need to disable Credential Guard feature.
These links might be useful:
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000100238&q=windows%2011%20802%201x
However, using EAP-TLS is a way better than EAP-PEAP in terms of security.
REGARDS, Robert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-13-2025 05:55 AM
Hi,
If you are working with AD environment, then I would recommend deploying at least one NPS server (o even two for redundancy) to handle RADIUS authentication with NAC and keep LDAP integration just for checking user attributes for applying correct network authorization.
NTLM protocol used by NAC for local RADIUS termination is somehow deprecated by Microsoft (https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-13-2025 08:26 AM
we don't promote the NPS servie because we have XIQ-SE NAC scaling much better and have a enterprise great NAC solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-13-2025 12:50 PM
@Markus_Nikulski I'm not promoting NPS as NAC but as RADIUS server for Extreme Access Control (so Extreme NAC is used as RADIUS Proxy). IMO NTLM integration with AD environment is somehow not as reliable as RADIUS-based integration
SWITCH/AP <---> Extreme Control <----> NPS (RADIUS) + AD (LDAP)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-13-2025 05:55 AM
@Robert_Zdzieblo @Zdeněk_Pala - thanks both, that is interesting. I will upgrade - which version do you recommend from my current version? I know somewhere down the line the upgrade involves a new VM creation and backup/restore of the database. Which version can I go to without creating a new VM?
Secondly, if I go with EAP TLS - I need a Root certificate on XIQ SE and the NAC's?
Any documentation for this?
Many thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-13-2025 06:24 AM
Asifi,
I think you can't avoid migration during XIQ-SE upgrade to current version. There is stepped upgrade path from your version and during upgrade to 24.7 there is migration required between 2 VMs - all info can be found in XIQ-SE Release Notes.
Regarding the certificate - you'll need your CA signed certificates on NAC gateways, but not necessarily on XIQ-SE itself.
REGARDS, Robert
