cancel
Showing results for 
Search instead for 
Did you mean: 

Radius authentication based on device certificates possible?

Radius authentication based on device certificates possible?

tobias_protz
New Contributor III

I found a few topics from the earlier Hive Manger (pre-NG even) days that explained on how to use Radius authentication to allow devices with a domain certificate to join a domain.

However, the way it was described, it sounded as if the devices all had the same issued certificate, and were part of a certain OU in the AD domain, they would be able to join.

What we need though is the same authentication from the wireless side that we are currently running on our switches on the wired side of things.

This means, that when a client computer connects to the networkt, its individual device certificate is probed. These individual, AD-issued certificates are checked by the  Windows Radius Server that is part of the domain, and then, if they exist and are valid, the machine may enter the correct VLAN and get an IP from there. Otherwise, it will be put into the public lan with device isolation and bare minimum internet access.

Until now, we only had a user-based authentication working in tandem with the HiveManager NG / Extreme Cloud IQ. All attempts to use our Radius server rules that work for lan-based ports on the wireless side of things have not been met with any success.
Is there a guide for Aerohive/Extreme Networks devices on how to set this up on an on-premise installation of the Extreme Cloud IQVA?

1 ACCEPTED SOLUTION

tobias_protz
New Contributor III

Just a quick followup: We have been contacted by our installation partner, and they were very helpful. We hope that we have identified the problem, it was a little hiccup easy to miss when switching from (working) client based auth to device based:
We had all the users in an access control list on the AD, but when we switched to client based auth via certificate, we did not put the clients in another acl to auth against this, instead the old user acl was left in place. We tried directly using the OU as a reference in which the client machines reside, but this didn’t work.
I hope that fixing this will fix the problem, and basically enable us to run the same settings for access via cable and wireless networks for all machines.

Thanks a lot!

View solution in original post

5 REPLIES 5

StephanH
Valued Contributor III

Hello Tobias,

an AP only works as an authenticator, so it has little influence on the authentication between a WLAN client and the Radius server.  Therefore, the question is whether the authentication requests arrive at your radius at all and where it goes wrong according the logs.

Here is a little guide:

https://extremeportal.force.com/ExtrArticleDetail?an=000080402&q=xiq%20radius%20nps

Regards Stephan
GTM-P2G8KFN