This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XIQ SE and Windows 11 Authentication EAP TLS

XIQ SE and Windows 11 Authentication EAP TLS

Asifi
New Contributor II

Thursday

Hello Community,

We have upgraded from Win 10 to Win 11 and are currently using EAP PEAP as the 802.1x authentication method.  I was told this would no longer work with Win 11 and we would need to implement EAP TLS.  I understand EAP TLS is not available for the version of XIQ SE we have - 23.4.12.3.

However, I believe later version of XIQ SE support EAP TLS.  If this is not the case please let me know. Could anyone let me know which minimum version of XIQ SE supports EAP TLS for XIQ SE and will I need a root certificate to be installed on XIQ SE and the NAC devices?

Is there a guide or similar I could use to Implement EAP TLS?

Currently, we use the built in 802.1x authentication via a LDAP server.  This I believe supports MsCHAP, PEAP and EAP-MsCHAPV2 only.

Many Thanks,

 

0 Kudos
20 REPLIES 20

Asifi
New Contributor II

Monday

Thanks everyone - lots to ponder and think about.

My last question - we have a wildcard certificate already in use and verified by a CA.  Can we use this as the device cert on the NAC's as this already chains back to out PKI root without having to raise a new CSR and getting this verified by a CA.

Many thanks everyone.

0 Kudos

Robert_Haynes
Extreme Employee
In response to Asifi

yesterday

We do not permit / advise the use of a wildcard certificate for the RADIUS server certificate for backwards compatibility with clients and 802.1x supplicant configurations that simply do not support it.

A RADIUS server cert w/ multiple SANs (FQDNs) is recommended.

Wildcard certificate is compatible with Captive Portal/Web use purposes.

0 Kudos

Asifi
New Contributor II
In response to Robert_Haynes

yesterday

@Robert_Haynes - Thanks Robert.  I guess it's the same if using LDAP as opposed to Radius.

Thanks,

0 Kudos

nick533
New Contributor

Friday - last edited Friday

Any version of XIQ-SE/NAC supports EAP-TLS, as others have stated. APK Spotify Premium
Your CA's server certificate is required for the NAC appliance or virtual machine, but not for the XIQ-SE.


Only NAC appliances are RADIUS servers, and your Windows 11 devices will validate them using the server certificate.

PEAP is deprecated due to security concerns, thus even if Windows 11 currently supports it (with Credential Guard turned down), you never know if it will be the case tomorrow.

0 Kudos
GTM-P2G8KFN