This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XIQ SE and Windows 11 Authentication EAP TLS

XIQ SE and Windows 11 Authentication EAP TLS

Go to solution
ExtremeNewbie
New Contributor III

‎03-13-2025 04:36 AM

Hello Community,

We have upgraded from Win 10 to Win 11 and are currently using EAP PEAP as the 802.1x authentication method.  I was told this would no longer work with Win 11 and we would need to implement EAP TLS.  I understand EAP TLS is not available for the version of XIQ SE we have - 23.4.12.3.

However, I believe later version of XIQ SE support EAP TLS.  If this is not the case please let me know. Could anyone let me know which minimum version of XIQ SE supports EAP TLS for XIQ SE and will I need a root certificate to be installed on XIQ SE and the NAC devices?

Is there a guide or similar I could use to Implement EAP TLS?

Currently, we use the built in 802.1x authentication via a LDAP server.  This I believe supports MsCHAP, PEAP and EAP-MsCHAPV2 only.

Many Thanks,

 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Robert_Zdzieblo
Contributor II

‎03-13-2025 05:28 AM - edited ‎03-13-2025 05:30 AM

Hi Asifi,

Any version of XIQ-SE supports EAP-TLS.

If you want EAP-PEAP to be still supported in Windows 11 clients, you will probably need to disable Credential Guard feature. 

These links might be useful:

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000100238&q=windows%2011%20802%201x

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?ta...

However, using EAP-TLS is a way better than EAP-PEAP in terms of security.

 

REGARDS, Robert

View solution in original post

0 Kudos
48 REPLIES 48

Go to solution
Bartek
Contributor
In response to ExtremeNewbie

‎03-13-2025 12:59 PM

I'm suggesting integrating Extreme Control with on-prem AD environment using RADIUS protocol for user authentication (it's called RADIUS Proxy mode) and LDAP for checking user access permissions:

SWITCH/AP <---> Extreme Control <----> NPS (RADIUS) + AD (LDAP)

0 Kudos

Go to solution
Bartek
Contributor

‎03-13-2025 05:55 AM

Hi,

If you are working with AD environment, then I would recommend deploying at least one NPS server (o even two for redundancy) to handle RADIUS authentication with NAC and keep LDAP integration just for checking user attributes for applying correct network authorization.

NTLM protocol used by NAC for local RADIUS termination is somehow deprecated by Microsoft (https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features)

0 Kudos

Go to solution
Markus_Nikulski
Extreme Employee
In response to Bartek

‎03-13-2025 08:26 AM

we don't promote the NPS servie because we have XIQ-SE NAC scaling much better and have a enterprise great NAC solution.

0 Kudos

Go to solution
Bartek
Contributor
In response to Markus_Nikulski

‎03-13-2025 12:50 PM

@Markus_Nikulski I'm not promoting NPS as NAC but as RADIUS server for Extreme Access Control (so Extreme NAC is used as RADIUS Proxy). IMO NTLM integration with AD environment is somehow not as reliable as RADIUS-based integration

SWITCH/AP <---> Extreme Control <----> NPS (RADIUS) + AD (LDAP)

0 Kudos

Go to solution
ExtremeNewbie
New Contributor III

‎03-13-2025 05:55 AM

@Robert_Zdzieblo @Zdeněk_Pala - thanks both, that is interesting.  I will upgrade  - which version do you recommend from my current version?  I know somewhere down the line the upgrade involves a new VM creation and backup/restore of the database.  Which version can I go to without creating a new VM?

Secondly, if I go with EAP TLS - I need a Root certificate on XIQ SE and the NAC's?

Any documentation for this?

Many thanks,

0 Kudos
GTM-P2G8KFN