Extreme Networks

ExtremeNewbie · ‎03-13-2025

Hello Community,

We have upgraded from Win 10 to Win 11 and are currently using EAP PEAP as the 802.1x authentication method. I was told this would no longer work with Win 11 and we would need to implement EAP TLS. I understand EAP TLS is not available for the version of XIQ SE we have - 23.4.12.3.

However, I believe later version of XIQ SE support EAP TLS. If this is not the case please let me know. Could anyone let me know which minimum version of XIQ SE supports EAP TLS for XIQ SE and will I need a root certificate to be installed on XIQ SE and the NAC devices?

Is there a guide or similar I could use to Implement EAP TLS?

Currently, we use the built in 802.1x authentication via a LDAP server. This I believe supports MsCHAP, PEAP and EAP-MsCHAPV2 only.

Many Thanks,

Robert_Zdzieblo · ‎03-13-2025

Hi Asifi,

Any version of XIQ-SE supports EAP-TLS.

If you want EAP-PEAP to be still supported in Windows 11 clients, you will probably need to disable Credential Guard feature.

These links might be useful:

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000100238&q=windows%2011%20802%201x

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?ta...

However, using EAP-TLS is a way better than EAP-PEAP in terms of security.

REGARDS, Robert

View solution in original post

ExtremeNewbie · ‎04-22-2025

@Robert_Haynes @Zdeněk_Pala Hi both, So I have kicked of the process and have run into some questions.

1. I have installed the CA Root on the XMC-SE appliance as discussed. All good?

2. When generating a Private Key and CSR - is this done on each NAC appliance or on the XIQ-SE?

3. Do I need to take into account whether it's a Server or Client CSR if using EAP-TLS? If Yes, the line to be used below does not work according to Extreme Documentation. Or do I not use this line and just create a standard CSR?

Using this line brings the error on XIQ-SE and NAC appliance:

If the CSR is for both the Control appliance and client, the command must include:

openssl req -new -reqexts server_and_client_auth -key <key_name.key -out <csr_name>.csr

Error is : Error Loading request extension section server_and_auth

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000078322

Many Thanks,

Zdeněk_Pala · ‎04-23-2025

Hi,

2. generate the key and CSR on the Access Control Engine (NAC appliance)

3. The certificate you will install on Access Control Engine (through Site Engine) must be a server certificate. Clients will see that as a server. https://emc.extremenetworks.com/content/oneview/docs/admin/docs/ov_ht_update_cert.html

Regards Zdeněk Pala

ExtremeNewbie · ‎04-23-2025

@Zdeněk_Pala - Thanks for the reply.

2. Key and CSR generated from each NAC appliance using the FQDN of each appliance. CRT raised for each NAC appliance.

3. Each CRT to be installed on the respective NAC appliance?

Thanks,

Zdeněk_Pala · ‎04-23-2025

Correct. Each Access Control Engine should have own certificate. Installation of the certificate is done through Site Engine GUI (OneView)

Regards Zdeněk Pala

Robert_Haynes · ‎04-24-2025

I will offer an alternative.

One CSR.

The Subject (CN) will be ~ nac.domain.com.

The SubjAltName (SAN) will be DNSName:nac.domain.com,DNSName:nac1.domain.com,DNSName:nac2.domain.com (etc).

In DNS nac.domain.com will resolve to each IP address for each Control engine. nac1.domain.com will resolve just to Engine 1, nac2.domain.com to Engine 2 and so forth.

A single CSR, a single signed certificate containing the SAN (DNS/FQDN) of each of the Control engines in the engine group. This way only one certificate has to be renewed each year instead of x.

Extreme Networks

XIQ SE and Windows 11 Authentication EAP TLS

XIQ SE and Windows 11 Authentication EAP TLS