Extreme Networks

Asifi · ‎03-13-2025

Hello Community,

We have upgraded from Win 10 to Win 11 and are currently using EAP PEAP as the 802.1x authentication method. I was told this would no longer work with Win 11 and we would need to implement EAP TLS. I understand EAP TLS is not available for the version of XIQ SE we have - 23.4.12.3.

However, I believe later version of XIQ SE support EAP TLS. If this is not the case please let me know. Could anyone let me know which minimum version of XIQ SE supports EAP TLS for XIQ SE and will I need a root certificate to be installed on XIQ SE and the NAC devices?

Is there a guide or similar I could use to Implement EAP TLS?

Currently, we use the built in 802.1x authentication via a LDAP server. This I believe supports MsCHAP, PEAP and EAP-MsCHAPV2 only.

Many Thanks,

Robert_Zdzieblo · ‎03-13-2025

Hi Asifi,

Any version of XIQ-SE supports EAP-TLS.

If you want EAP-PEAP to be still supported in Windows 11 clients, you will probably need to disable Credential Guard feature.

These links might be useful:

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000100238&q=windows%2011%20802%201x

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?ta...

However, using EAP-TLS is a way better than EAP-PEAP in terms of security.

REGARDS, Robert

View solution in original post

Asifi · yesterday

@Zdeněk_Pala - thanks for the quick reply. Currently, we have no certificate and are using 802.1x PEAP as the Authentication Rules for our end computers. As this is the first root certificate we will use, is it safe to say install the root certificate on the NAC's and change the Authentication on the Rule from 802.1X PEAP to 802.1X EAP-TLS ?

Many thanks,

Zdeněk_Pala · yesterday

Hi,

I think you will need these steps:

Upload the Root CA certificate
Generate a Certificate for each Access Control Engine (if it is not done yet)
Generate a client certificate for your clients (end-systems)
Define NAC rules (may not be needed if your existing rules reflect what you want)
Enforce settings

Usually there is no need to configure modify AAA rules if you have PEAP already and you want to add EAP-TLS. Why do you think you need new AAA rule?

Regards Zdeněk Pala

Robert_Haynes · Thursday

AAA only gives high-level protocol-based filtering. It would be in the Rules -> Auth Type where you could restrict a rule to EAP-TLS for example.

All XMC / Site Engine releases going back years support EAP-TLS.

FTR, you are on 23.04 which is now outside the 12-month support window. Please plan on performing an upgrade of Site Engine / Control to a supported release; minimum is 24.02.15.05 at this time.

Asifi · yesterday

@Robert_Haynes - thanks for the update. I will upgrade to the later version. Can I edit an exist rule and choose EAP-TLS after installing the root certificate on the NAC's?

Thanks,

Asifi · a month ago

Thanks everyone - lots to ponder and think about.

My last question - we have a wildcard certificate already in use and verified by a CA. Can we use this as the device cert on the NAC's as this already chains back to out PKI root without having to raise a new CSR and getting this verified by a CA.

Many thanks everyone.

Extreme Networks

XIQ SE and Windows 11 Authentication EAP TLS

XIQ SE and Windows 11 Authentication EAP TLS