Extreme Networks

ExtremeNewbie · ‎03-13-2025

Hello Community,

We have upgraded from Win 10 to Win 11 and are currently using EAP PEAP as the 802.1x authentication method. I was told this would no longer work with Win 11 and we would need to implement EAP TLS. I understand EAP TLS is not available for the version of XIQ SE we have - 23.4.12.3.

However, I believe later version of XIQ SE support EAP TLS. If this is not the case please let me know. Could anyone let me know which minimum version of XIQ SE supports EAP TLS for XIQ SE and will I need a root certificate to be installed on XIQ SE and the NAC devices?

Is there a guide or similar I could use to Implement EAP TLS?

Currently, we use the built in 802.1x authentication via a LDAP server. This I believe supports MsCHAP, PEAP and EAP-MsCHAPV2 only.

Many Thanks,

Robert_Zdzieblo · ‎03-13-2025

Hi Asifi,

Any version of XIQ-SE supports EAP-TLS.

If you want EAP-PEAP to be still supported in Windows 11 clients, you will probably need to disable Credential Guard feature.

These links might be useful:

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000100238&q=windows%2011%20802%201x

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?ta...

However, using EAP-TLS is a way better than EAP-PEAP in terms of security.

REGARDS, Robert

View solution in original post

jerrygen · a week ago

Hi,

EAP-TLS is supported in XIQ-Site Engine, including the version you’re running. The limitation is usually in the NAC configuration, not the platform version. To use EAP-TLS you’ll need a proper certificate chain: a server certificate on the NAC/RADIUS engine and the corresponding root or intermediate CA uploaded into the trusted authorities list so the engine can validate client certificates.

On the Windows side, each client needs a user or computer certificate issued by the same CA, and Windows 11 will authenticate cleanly with EAP-TLS once those certificates and profiles are in place. Your existing LDAP-based PEAP/MSCHAPv2 setup won’t be used anymore because TLS relies on certificates instead of passwords.

Implementation is straightforward: generate a CSR on the NAC engine, get it signed by your CA, import the server certificate and root CA, switch the authentication method in your access policies to Spotify APK Premium, and then enforce the configuration to your engines. After that, deploy certificates and an 802.1X profile to Windows 11 via GPO or Intune.

Regards

ExtremeNewbie · ‎04-10-2025

Hello Everyone,

Apologies for the late reply and thanks to everyone who has replied. I have checked my version of XIQ SE. The version I have ExtremeCloud IQ - Site Engine 23.4.12.3

I believe this version should support EAP-TLS. However, when looking under AAA Rules and Authentication type, I do not have the EAP-TLS option. Am I looking in the wrong place for this? Please see screenshot below.

Thanks,

Zdeněk_Pala · ‎04-10-2025

Hi,

Not showing EAP-TLS in the list of conditions for AAA rule does not mean EAP-TLS is not supported.

Sincerely yours

Regards Zdeněk Pala

ExtremeNewbie · ‎04-14-2025

@Zdeněk_Pala - Thanks, I have found the option to do this. Can I edit and use an exiting Rule with EAP-TLS after installing the Root certificate on the NAC's or do I need to create a new Rule?

Thanks,

Extreme Networks

XIQ SE and Windows 11 Authentication EAP TLS

XIQ SE and Windows 11 Authentication EAP TLS