Extreme Networks

Asifi · ‎03-13-2025

Hello Community,

We have upgraded from Win 10 to Win 11 and are currently using EAP PEAP as the 802.1x authentication method. I was told this would no longer work with Win 11 and we would need to implement EAP TLS. I understand EAP TLS is not available for the version of XIQ SE we have - 23.4.12.3.

However, I believe later version of XIQ SE support EAP TLS. If this is not the case please let me know. Could anyone let me know which minimum version of XIQ SE supports EAP TLS for XIQ SE and will I need a root certificate to be installed on XIQ SE and the NAC devices?

Is there a guide or similar I could use to Implement EAP TLS?

Currently, we use the built in 802.1x authentication via a LDAP server. This I believe supports MsCHAP, PEAP and EAP-MsCHAPV2 only.

Many Thanks,

Robert_Zdzieblo · ‎03-13-2025

Hi Asifi,

Any version of XIQ-SE supports EAP-TLS.

If you want EAP-PEAP to be still supported in Windows 11 clients, you will probably need to disable Credential Guard feature.

These links might be useful:

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000100238&q=windows%2011%20802%201x

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?ta...

However, using EAP-TLS is a way better than EAP-PEAP in terms of security.

REGARDS, Robert

View solution in original post

Zdeněk_Pala · ‎04-17-2025

Hi.

If you follow the procedure in the documentation, you should be supported and not find surprises. That is what I recommend.

You can generate the certificate wherever you want. Please ensure the certificate has all the required properties.

Regards Zdeněk Pala

Asifi · ‎04-17-2025

@Zdeněk_Pala Great - CSR has been raised. On point of note, as we are on version 24.02, we do not need to use the highlighted section in the code below. This came in on version 24.7.10

Thanks,

Asifi · ‎04-17-2025

@Zdeněk_Pala - Hello, I am trying to create a CSR using the command below for both server (NAC) and Client (End User Machines). This is needed if using EAP-TLS according to this Extreme link.

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000078322

openssl req -new -reqexts server_and_client_auth -key <key_name.key -out <csr_name>.csr

However, this comes back with an error - Error Loading request extension section server_and_client_auth

This is from Extreme's documentation - link below.

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000078322

Any thoughts on this please?

Thanks,

Robert_Haynes · ‎04-18-2025

Hello Asifi.

Editing my original reply.

Run these commands from the Control engine SSH session; not Site Engine where I assume you're running those commands.

Asifi · ‎04-22-2025

@Robert_Haynes @Zdeněk_Pala Hi both, So I have kicked of the process and have run into some questions.

1. I have installed the CA Root on the XMC-SE appliance as discussed. All good?

2. When generating a Private Key and CSR - is this done on each NAC appliance or on the XIQ-SE?

3. Do I need to take into account whether it's a Server or Client CSR if using EAP-TLS? If Yes, the line to be used below does not work according to Extreme Documentation. Or do I not use this line and just create a standard CSR?

Using this line brings the error on XIQ-SE and NAC appliance:

If the CSR is for both the Control appliance and client, the command must include:

openssl req -new -reqexts server_and_client_auth -key <key_name.key -out <csr_name>.csr

Error is : Error Loading request extension section server_and_auth

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000078322

Many Thanks,

Extreme Networks

XIQ SE and Windows 11 Authentication EAP TLS

XIQ SE and Windows 11 Authentication EAP TLS