- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-13-2025 04:36 AM
Hello Community,
We have upgraded from Win 10 to Win 11 and are currently using EAP PEAP as the 802.1x authentication method. I was told this would no longer work with Win 11 and we would need to implement EAP TLS. I understand EAP TLS is not available for the version of XIQ SE we have - 23.4.12.3.
However, I believe later version of XIQ SE support EAP TLS. If this is not the case please let me know. Could anyone let me know which minimum version of XIQ SE supports EAP TLS for XIQ SE and will I need a root certificate to be installed on XIQ SE and the NAC devices?
Is there a guide or similar I could use to Implement EAP TLS?
Currently, we use the built in 802.1x authentication via a LDAP server. This I believe supports MsCHAP, PEAP and EAP-MsCHAPV2 only.
Many Thanks,
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-13-2025 05:28 AM - edited ‎03-13-2025 05:30 AM
Hi Asifi,
Any version of XIQ-SE supports EAP-TLS.
If you want EAP-PEAP to be still supported in Windows 11 clients, you will probably need to disable Credential Guard feature.
These links might be useful:
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000100238&q=windows%2011%20802%201x
However, using EAP-TLS is a way better than EAP-PEAP in terms of security.
REGARDS, Robert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-23-2025 07:18 AM
Hi,
2. generate the key and CSR on the Access Control Engine (NAC appliance)
3. The certificate you will install on Access Control Engine (through Site Engine) must be a server certificate. Clients will see that as a server. https://emc.extremenetworks.com/content/oneview/docs/admin/docs/ov_ht_update_cert.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-23-2025 08:54 AM
@Zdeněk_Pala - Thanks for the reply.
2. Key and CSR generated from each NAC appliance using the FQDN of each appliance. CRT raised for each NAC appliance.
3. Each CRT to be installed on the respective NAC appliance?
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-23-2025 12:32 PM
Correct. Each Access Control Engine should have own certificate. Installation of the certificate is done through Site Engine GUI (OneView)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-24-2025 07:53 AM
I will offer an alternative.
One CSR.
The Subject (CN) will be ~ nac.domain.com.
The SubjAltName (SAN) will be DNSName:nac.domain.com,DNSName:nac1.domain.com,DNSName:nac2.domain.com (etc).
In DNS nac.domain.com will resolve to each IP address for each Control engine. nac1.domain.com will resolve just to Engine 1, nac2.domain.com to Engine 2 and so forth.
A single CSR, a single signed certificate containing the SAN (DNS/FQDN) of each of the Control engines in the engine group. This way only one certificate has to be renewed each year instead of x.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-24-2025 06:02 AM
@Zdeněk_Pala - Great I will do this later today.
To confirm:
1. Installed our CA Root Certificate on XIQ-SE.
2. Generated private key and CSR from each NAC appliance using FQDN of each appliance.
3. CRT created.
4. Install CRT to each respective NAC via XIQ-SE.
5. Test using Test AAA?
