This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XIQ SE and Windows 11 Authentication EAP TLS

XIQ SE and Windows 11 Authentication EAP TLS

Asifi
New Contributor II

Thursday

Hello Community,

We have upgraded from Win 10 to Win 11 and are currently using EAP PEAP as the 802.1x authentication method.  I was told this would no longer work with Win 11 and we would need to implement EAP TLS.  I understand EAP TLS is not available for the version of XIQ SE we have - 23.4.12.3.

However, I believe later version of XIQ SE support EAP TLS.  If this is not the case please let me know. Could anyone let me know which minimum version of XIQ SE supports EAP TLS for XIQ SE and will I need a root certificate to be installed on XIQ SE and the NAC devices?

Is there a guide or similar I could use to Implement EAP TLS?

Currently, we use the built in 802.1x authentication via a LDAP server.  This I believe supports MsCHAP, PEAP and EAP-MsCHAPV2 only.

Many Thanks,

 

0 Kudos
20 REPLIES 20

SebBinet
New Contributor

Friday

As mentioned by others, any XIQ-SE/NAC version support EAP-TLS.
You'll need server certificate issued by your CA for the NAC appliance/VM but not for XIQ-SE.

Only NAC appliance are RADIUS Server and will use server certificate to be validated by your Windows 11 devices.

Even if Windows 11 still support PEAP (with Credential Guard disabled), never know if it'll be the case tomorrow because PEAP is deprecated because of security issues.

0 Kudos

Markus_Nikulski
Extreme Employee

Thursday

PEAP-MSCAP is still supported with Windows 11. More and more customer moving to EntraID replacing the classical Active Directory we know since many years. Using EAP-TLS is a good alternative if you know how to deal with client certificates in regards auto enrollment and live cycle management. Just make sure the client have certificate with "enhance key usage" = "Client Authentication" and select the certificates in the Windows 11 plus the corresponding root CA certificate to be able to validate the incoming Radius server certificate like you should have already with PEAP-xxx.

Asifi
New Contributor II

Thursday

Hi All, will I need a pfx or cer certificate for the NAC's?

Thanks,

0 Kudos

Markus_Nikulski
Extreme Employee
In response to Asifi

Thursday

the pfx extension indicate is a PLCS12 formatted data. Yes it can be used to deploy the certificate for the Radius server.

0 Kudos

Asifi
New Contributor II
In response to Markus_Nikulski

Thursday

@Markus_Nikulski - Thanks Marcus, we use an LDAP server for user and machine authentication.  PFX still ok?

Thanks,

0 Kudos
GTM-P2G8KFN