cancel
Showing results for 
Search instead for 
Did you mean: 

AD-integrated 802.1x with Extreme Networks AP410C-WR

AD-integrated 802.1x with Extreme Networks AP410C-WR

cdeibert
New Contributor

Hi, we bought several AP410C-WR and want to the use build-in Radius functionality on two APs (both AD-joined; no LDAP configured) for certificate based 802.1x.

Goal is to use machine based Next Generation (CNG) certificates carrying the name of the domain-joined computer and qualifying against a windows security group containing these machines.

As a best practise approach via "User Access Settings" the "Default User Profile" is a quarantine, non-existing VLAN, a different user profile via assignment rules checks for member of the mentioned security group.

Security-wise I want to use PEAP (Auth. Protocol: TLS/PEAP; Default Auth. Protocol; PEAP). So far I could not get it going whereas this setup did work with MS NPS-Server (which I cannot use anymore) with an other AP-Brand in the past.

Certificate-wise the machines also carries the public two-tier CA certificate, so the chain looks good. In XIQ in "Aerohive Device as RADIUS Server" - "Security Options" I've imported our public CA chain under "CA Certificate File".

After that I've manually created and signed these certificates:

  • Server Certificate File: Certificate with FQDN as CN of one of the Radius APs + SAN of the other (.pem)
  • Server  Key File: Corresponding Key-Files (.pem)
  • Key File Password: No PW since it was removed from the .pfx before converting

Question: In my setup there is my domain-joined computer (Supplicant); Authenticator/Radius and Auth. Server are only the two AD-joined APs and my Domain Controllers: Is this outlined setup supposed to work? Do you see a misconception how I use the certificates?

Thanks!

3 REPLIES 3

cdeibert
New Contributor

Hi James, thanks for your answer, but I might have to disagree, (at least for me) it is rather more an enumeration of possibilities: "Extreme Networks devices can serve as RADIUS authentication servers and (they can also) respond to 802.1X requests from other Extreme Networks devices acting as RADIUS authenticators. The Extreme Networks RADIUS server can (also) store user accounts locally or check user login credentials against user accounts stored externally on the following user database servers: Active Directory, or LDAP."

Even if "users" need to be natural users (with an login name/pw combination: For me this looks rather optional) why should certificate authentication not work: "Networks devices can serve as RADIUS authentication servers".

Can someone shed more light to this? Thanks.

James_A
Valued Contributor

PEAP-TLS is not a common setup, can you just use EAP-TLS instead? But reading the docs I think (it's not clear, but implied) the AP's built-in RADIUS server is only for username/password authentication anyway, not certificate authentication.

https://documentation.extremenetworks.com/XIQ/user_guide/GUID-E460DAAF-159E-47C6-9BD3-E105AAA17FB5.s...

Actually I tried EAP-TLS, did not work either, but even if PEAP-TLS might be a bit more exotic, in MS based environments it should work just fine, besides I can select it it XIQ and IMHO THERE IS a lot to choose from when it comes to certificate based authentication in the AP's built-in RADIUS server.

GTM-P2G8KFN