This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (General)
- Guidance in securing IP Phones and cameras with Ex...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Guidance in securing IP Phones and cameras with Extreme Control EAP-TLS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-06-2019 04:30 PM
I am deploying Extreme Control and have the user authenticating fine. I am looking to secure other devices such as phones and cameras. From what I have seen, an Active Directory object is created for each of these devices in order for authentication to be successful. Is this the case? Is there a better way to do it that does not involve me adding 1000s of AD user objects? These devices already have certs issued to them.
Any guidance is appreciated.
Thanks.
Any guidance is appreciated.
Thanks.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-06-2019 05:25 PM
Hello,
An active directory object is not required for successful authentication when using EAP-TLS authentication.
When using EAP-TLS you set NAC to "Local Authentication" and install necessary RADIUS certificates and Trusted Authority certificates on the NAC itself.
NAC will provide it's RADIUS certificate to the client for validation, then the client will send it's certificate to the NAC for validation. As long as the AAA trusted authority certificate installed is the same certificate that signed the client certificate authentication will be successful.
There is no computer or user account necessary as EAP-TLS is not password based authentication.
The problem that you will run into is that without any AD objects it may become difficult to put these into authorization roles as since there are no AD objects we cannot utilize and AD technologies like security containters. LDAP lookups will not work if there are no objects in AD.
We can still use the CN of the certificate to provide an authorization though.
Thanks
-Ryan
An active directory object is not required for successful authentication when using EAP-TLS authentication.
When using EAP-TLS you set NAC to "Local Authentication" and install necessary RADIUS certificates and Trusted Authority certificates on the NAC itself.
NAC will provide it's RADIUS certificate to the client for validation, then the client will send it's certificate to the NAC for validation. As long as the AAA trusted authority certificate installed is the same certificate that signed the client certificate authentication will be successful.
There is no computer or user account necessary as EAP-TLS is not password based authentication.
The problem that you will run into is that without any AD objects it may become difficult to put these into authorization roles as since there are no AD objects we cannot utilize and AD technologies like security containters. LDAP lookups will not work if there are no objects in AD.
We can still use the CN of the certificate to provide an authorization though.
Thanks
-Ryan
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-09-2019 04:15 PM
Seems like Avaya phones want to use the MAC for username / password to authenticate the phone. I was not able to go based on the CN alone. Could be a limitation of the Avaya 9600s phones. Has anyone experienced this before?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-08-2019 01:07 PM
Thanks for the quick reply Ryan. This is what I am looking for and will start testing soon.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-06-2019 05:25 PM
Hello,
An active directory object is not required for successful authentication when using EAP-TLS authentication.
When using EAP-TLS you set NAC to "Local Authentication" and install necessary RADIUS certificates and Trusted Authority certificates on the NAC itself.
NAC will provide it's RADIUS certificate to the client for validation, then the client will send it's certificate to the NAC for validation. As long as the AAA trusted authority certificate installed is the same certificate that signed the client certificate authentication will be successful.
There is no computer or user account necessary as EAP-TLS is not password based authentication.
The problem that you will run into is that without any AD objects it may become difficult to put these into authorization roles as since there are no AD objects we cannot utilize and AD technologies like security containters. LDAP lookups will not work if there are no objects in AD.
We can still use the CN of the certificate to provide an authorization though.
Thanks
-Ryan
An active directory object is not required for successful authentication when using EAP-TLS authentication.
When using EAP-TLS you set NAC to "Local Authentication" and install necessary RADIUS certificates and Trusted Authority certificates on the NAC itself.
NAC will provide it's RADIUS certificate to the client for validation, then the client will send it's certificate to the NAC for validation. As long as the AAA trusted authority certificate installed is the same certificate that signed the client certificate authentication will be successful.
There is no computer or user account necessary as EAP-TLS is not password based authentication.
The problem that you will run into is that without any AD objects it may become difficult to put these into authorization roles as since there are no AD objects we cannot utilize and AD technologies like security containters. LDAP lookups will not work if there are no objects in AD.
We can still use the CN of the certificate to provide an authorization though.
Thanks
-Ryan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-22-2024 10:06 AM
How did you configure this?
"When using EAP-TLS you set NAC to "Local Authentication" and install necessary RADIUS certificates and Trusted Authority certificates on the NAC itself."
I've been looking into but can't seem to figure this out. Any help is appreciated.
