This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is it possible to allow only devices with certificates to authenticate on 802.1x?

Is it possible to allow only devices with certificates to authenticate on 802.1x?

Go to solution
gshipp
New Contributor

‎07-16-2021 04:32 PM

We have corporate SSID configured with 802.1x and most of our company assets have a certificate that allows them to connect. But, anyone with AD credentials can connect using their username/password on devices without a cert installed.     We want to require a certificate on the device in order for it to be able to connect to the corporate SSID.  We’ve had issues with users connecting personal devices using their username/password and we want to prevent this.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Tomasz
Valued Contributor II

‎07-23-2021 07:22 PM

Hi,

 

I can’t recall if built-in XIQ RADIUS can work with EAP-TLS but you can always force XIQ APs to forward auth requests to your NAC/RADIUS server (like NPS or EAC or any other) and over there you’ll have to allow only EAP-TLS and not PEAP if you don’t want to permit user credentials to be allowed.

 

Hope that helps,

Tomasz

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
Tomasz
Valued Contributor II

‎08-11-2021 09:13 PM

Hi Prashath,

 

Well, host-based auth with certificates (EAP-TLS) seem to be an option here.

Otherwise, in case of user-based auth you will have to have some other way to verify if the device is corporate or not.

If we used Extreme Access Control, there should be an option to import a list of MAC addresses. I didn’t try to create End-system group that big though (but worth trying if host-based auth is not possible).

 

Hope that helps,

Tomasz

0 Kudos

Go to solution
Prashath
New Contributor

‎08-11-2021 04:49 AM

Hi @Tomasz 

I’ve the same issue. Anyone with their AD credential they can login to personal device as well. How to prevent this personal device login over AD credential? They only want to allow corporate device.

We can control via the MAC based filter but they more than 3500 devices.

0 Kudos

Go to solution
Tomasz
Valued Contributor II

‎07-23-2021 07:22 PM

Hi,

 

I can’t recall if built-in XIQ RADIUS can work with EAP-TLS but you can always force XIQ APs to forward auth requests to your NAC/RADIUS server (like NPS or EAC or any other) and over there you’ll have to allow only EAP-TLS and not PEAP if you don’t want to permit user credentials to be allowed.

 

Hope that helps,

Tomasz

0 Kudos
GTM-P2G8KFN