This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

XIQ SE and Windows 11 Authentication EAP TLS

XIQ SE and Windows 11 Authentication EAP TLS

Go to solution
Asifi
New Contributor II

‎03-13-2025 04:36 AM

Hello Community,

We have upgraded from Win 10 to Win 11 and are currently using EAP PEAP as the 802.1x authentication method.  I was told this would no longer work with Win 11 and we would need to implement EAP TLS.  I understand EAP TLS is not available for the version of XIQ SE we have - 23.4.12.3.

However, I believe later version of XIQ SE support EAP TLS.  If this is not the case please let me know. Could anyone let me know which minimum version of XIQ SE supports EAP TLS for XIQ SE and will I need a root certificate to be installed on XIQ SE and the NAC devices?

Is there a guide or similar I could use to Implement EAP TLS?

Currently, we use the built in 802.1x authentication via a LDAP server.  This I believe supports MsCHAP, PEAP and EAP-MsCHAPV2 only.

Many Thanks,

 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Robert_Zdzieblo
Contributor II

‎03-13-2025 05:28 AM - edited ‎03-13-2025 05:30 AM

Hi Asifi,

Any version of XIQ-SE supports EAP-TLS.

If you want EAP-PEAP to be still supported in Windows 11 clients, you will probably need to disable Credential Guard feature. 

These links might be useful:

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000100238&q=windows%2011%20802%201x

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?ta...

However, using EAP-TLS is a way better than EAP-PEAP in terms of security.

 

REGARDS, Robert

View solution in original post

0 Kudos
47 REPLIES 47

Go to solution
Zdeněk_Pala
Extreme Employee
In response to Asifi

‎04-16-2025 08:23 AM

Hi.


The Trusted Root CA should be inserted once (per AAA config), but the screen can be reached from multiple places.
add your CA certificate to that screen and you will see...

The AAA config is applied to all relevant Access Control Engines

Hope it helps.

Regards Zdeněk Pala
0 Kudos

Go to solution
Asifi
New Contributor II
In response to Zdeněk_Pala

‎04-17-2025 03:12 AM

@ZdenÄ›k_Pala Thank you - finally, what format of the Root Certificate to use?

I have the below.

Asifi_0-1744884727185.png

Many Thanks,

0 Kudos

Go to solution
Zdeněk_Pala
Extreme Employee
In response to Asifi

‎04-17-2025 03:26 AM

I was always using .CER. I would use the second one from your list.

Sincerely yours

 

Regards Zdeněk Pala
0 Kudos

Go to solution
Asifi
New Contributor II
In response to Zdeněk_Pala

‎04-17-2025 03:52 AM

@ZdenÄ›k_Pala - Great, I've done that and will move on.

Many thanks,

 

0 Kudos

Go to solution
Asifi
New Contributor II
In response to Asifi

‎04-17-2025 04:05 AM

@ZdenÄ›k_Pala  - I can generate the server private key and CSR by SSH to the XIQ-SE box?  I don't have to SSH to the NAC box(s)?

Also is SHA1 still used for this ?  I thought this was depreciated.

Asifi_0-1744887893693.png

 

Thanks,

0 Kudos
Top
GTM-P2G8KFN