This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

XIQ SE and Windows 11 Authentication EAP TLS

XIQ SE and Windows 11 Authentication EAP TLS

Go to solution
Asifi
New Contributor II

‎03-13-2025 04:36 AM

Hello Community,

We have upgraded from Win 10 to Win 11 and are currently using EAP PEAP as the 802.1x authentication method.  I was told this would no longer work with Win 11 and we would need to implement EAP TLS.  I understand EAP TLS is not available for the version of XIQ SE we have - 23.4.12.3.

However, I believe later version of XIQ SE support EAP TLS.  If this is not the case please let me know. Could anyone let me know which minimum version of XIQ SE supports EAP TLS for XIQ SE and will I need a root certificate to be installed on XIQ SE and the NAC devices?

Is there a guide or similar I could use to Implement EAP TLS?

Currently, we use the built in 802.1x authentication via a LDAP server.  This I believe supports MsCHAP, PEAP and EAP-MsCHAPV2 only.

Many Thanks,

 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Robert_Zdzieblo
Contributor II

‎03-13-2025 05:28 AM - edited ‎03-13-2025 05:30 AM

Hi Asifi,

Any version of XIQ-SE supports EAP-TLS.

If you want EAP-PEAP to be still supported in Windows 11 clients, you will probably need to disable Credential Guard feature. 

These links might be useful:

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000100238&q=windows%2011%20802%201x

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?ta...

However, using EAP-TLS is a way better than EAP-PEAP in terms of security.

 

REGARDS, Robert

View solution in original post

0 Kudos
47 REPLIES 47

Go to solution
Asifi
New Contributor II
In response to Zdeněk_Pala

‎04-14-2025 07:39 AM

@ZdenÄ›k_Pala  - thanks for the quick reply.  Currently, we have no certificate and are using 802.1x PEAP as the Authentication Rules for our end computers.  As this is the first root certificate we will use, is it safe to say install the root certificate on the NAC's and change the Authentication on the Rule from 802.1X PEAP to 802.1X EAP-TLS ?

Many thanks,

0 Kudos

Go to solution
Zdeněk_Pala
Extreme Employee
In response to Asifi

‎04-14-2025 08:08 AM - edited ‎04-14-2025 08:09 AM

Hi,

I think you will need these steps:

  1. Upload the Root CA certificate
  2. Generate a Certificate for each Access Control Engine (if it is not done yet)
  3. Generate a client certificate for your clients (end-systems)
  4. Define NAC rules (may not be needed if your existing rules reflect what you want)
  5. Enforce settings

Usually there is no need to configure modify AAA rules if you have PEAP already and you want to add EAP-TLS. Why do you think you need new AAA rule?

 

Regards Zdeněk Pala
0 Kudos

Go to solution
Asifi
New Contributor II
In response to Zdeněk_Pala

‎04-15-2025 05:50 AM

@ZdenÄ›k_Pala - Many thanks for your pointers above.  Some quick thoughts from me:

1. I have a Root Certificate, is this to be uploaded onto the NAC's and XIQ SE?

2. Generate a Certificate for each Access Control Engine after the Root certificate has been uploaded?

3. Client certificate we have.

4. NAC Rules - we have what we need in place currently just not setup to use EAP TLS for which I will need to do the above steps.

You are correct in that I don't believe we need to update the AAA Rules as these are 802.1X.  I believe however, we will need to change the Access Control Rules from 802.1x (current) to 802.1X EAP-TLS - see screenshot below.  This is where I believed I may need to control a set of new Access Control Rules to use 802.1X EAP-TLS.

Asifi_0-1744721354835.png

Apologies for the many questions, this is my first time attempting this and I want to ensure this is done correctly.

 

Kind Regards,

 

0 Kudos

Go to solution
Zdeněk_Pala
Extreme Employee
In response to Asifi

‎04-15-2025 11:55 AM

Hi,

Step 1 =  the Acces Control Engine must know that the CA is trusted. yes you need to upload the Root CA = https://emc.extremenetworks.com/content/oneview/docs/control/access_control/docs/l_ov_ia_at_aaa_conf... >> Trusted Authorities

Step 2 can be done before the #1 or after.

step 2.1 = Generate a private key and certificate signing request.

step 2.2 = Submit the request to a Certificate Authority.

step 2.3 = Replace the Certificate or define certificate usage conditions.

Step 4 = if you want a different result for EAP-TLS compared to PEAP, then yes, you need to define the authentication method in your NAC rule.

Sincerely yours

Regards Zdeněk Pala
0 Kudos

Go to solution
Asifi
New Contributor II
In response to Zdeněk_Pala

‎04-16-2025 07:48 AM

@ZdenÄ›k_Pala  - Thanks for the steps, much appreciated.  For step 1, the CA trusted certificate goes in the section as in the screenshot below.  This is what I have when I click on each Control Engine and go to Certificates > Manage >AAA Trusted Certificate Authorities.  Also as I have 2 Control Engines, is the CA installed on each Engine?

 

Asifi_0-1744814782459.png

Thanks,

0 Kudos
li.common.scroll-to.top
GTM-P2G8KFN