This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- XIQ SE and Windows 11 Authentication EAP TLS
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
XIQ SE and Windows 11 Authentication EAP TLS
XIQ SE and Windows 11 Authentication EAP TLS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
a week ago
Hello Community,
We have upgraded from Win 10 to Win 11 and are currently using EAP PEAP as the 802.1x authentication method. I was told this would no longer work with Win 11 and we would need to implement EAP TLS. I understand EAP TLS is not available for the version of XIQ SE we have - 23.4.12.3.
However, I believe later version of XIQ SE support EAP TLS. If this is not the case please let me know. Could anyone let me know which minimum version of XIQ SE supports EAP TLS for XIQ SE and will I need a root certificate to be installed on XIQ SE and the NAC devices?
Is there a guide or similar I could use to Implement EAP TLS?
Currently, we use the built in 802.1x authentication via a LDAP server. This I believe supports MsCHAP, PEAP and EAP-MsCHAPV2 only.
Many Thanks,
20 REPLIES 20
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
Thursday
@Markus_Nikulski I'm not promoting NPS as NAC but as RADIUS server for Extreme Access Control (so Extreme NAC is used as RADIUS Proxy). IMO NTLM integration with AD environment is somehow not as reliable as RADIUS-based integration
SWITCH/AP <---> Extreme Control <----> NPS (RADIUS) + AD (LDAP)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
a week ago
@Robert_Zdzieblo @Zdeněk_Pala - thanks both, that is interesting. I will upgrade - which version do you recommend from my current version? I know somewhere down the line the upgrade involves a new VM creation and backup/restore of the database. Which version can I go to without creating a new VM?
Secondly, if I go with EAP TLS - I need a Root certificate on XIQ SE and the NAC's?
Any documentation for this?
Many thanks,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
Thursday
Asifi,
I think you can't avoid migration during XIQ-SE upgrade to current version. There is stepped upgrade path from your version and during upgrade to 24.7 there is migration required between 2 VMs - all info can be found in XIQ-SE Release Notes.
Regarding the certificate - you'll need your CA signed certificates on NAC gateways, but not necessarily on XIQ-SE itself.
REGARDS, Robert
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
Thursday
@Robert_Zdzieblo - thank you for confirming. Can I update the existing authentication to use EP TLS or will this require new rules?
Thanks,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
a week ago - last edited a week ago
Hi Asifi,
Any version of XIQ-SE supports EAP-TLS.
If you want EAP-PEAP to be still supported in Windows 11 clients, you will probably need to disable Credential Guard feature.
These links might be useful:
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000100238&q=windows%2011%20802%201x
However, using EAP-TLS is a way better than EAP-PEAP in terms of security.
REGARDS, Robert
