This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to configure XCA or XCC to authenticate domain computers using certificates EAP-TLS

How to configure XCA or XCC to authenticate domain computers using certificates EAP-TLS

Go to solution
Christian_K_
New Contributor II

‎10-23-2020 09:56 PM

Hello community,

has anybody found a way to use a modern wireless controller like XCA or XCC with a client auth based on certifcates without using an NPS (we have dozens of ipad´s)

I want to find a way where i can create a machine certificate on a system and then join an SSID without username and passwort but only check this certifcate.
 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Ovais_Qayyum
Extreme Employee

‎11-02-2020 08:39 PM

Hi Christian, 

You can setup computer/machine cert based authentication by following these steps. You would also need to take care of the certificate distribution to your iOS and non-windows devices, that can’t be done with EAC.

1- Point your XCC to the EAC as radius server using the AAA configuration the XCC. Make sure NOT to use local onboarding option in WLAN settings. 

2- On the EAC, you need two types of certificates i.e.

  1. Root CA of the domain that is issuing/signing the certs for your client devices.
  2. Radius cert issued by the same domain. 

3- Load the CA cert on the “Update Trusted Authorities” under AAA settings in EAC.

ff84c0e9b1314bd489d4c90e88690563_acca2528-15ee-4267-b517-ff55611e673e.png

4- Update the Radius cert on the EAC as follows:

ff84c0e9b1314bd489d4c90e88690563_60985aa1-dd79-4a83-9d79-4551e4d9f2f7.png

 

5- Setup LDAP on EAC to authenticate your machines/computers, make sure you set it up with AD machine default values as per following:

ff84c0e9b1314bd489d4c90e88690563_746792af-56e0-47ba-968e-61f88021c60c.png

6- Configure AAA rule as per below and make sure you have correct match pattern for host and LDAP settings selected, usually it is host/* or *@* depending on how your directory service is setup. 

ff84c0e9b1314bd489d4c90e88690563_b9e5dc5c-24b3-4302-b8c2-0629560082e0.png

7- Finally, create an appropriate rule to address the cert based authentication, you either set it to a more generic auth type 802.1x or be more specific and set it to 802.1x EAP-TLS.

ff84c0e9b1314bd489d4c90e88690563_f3f1b8a1-d87b-4ab1-95af-dbdc987bd724.png

 

8- And most importantly, don’t  forget to press the magic “Enforce” button ff84c0e9b1314bd489d4c90e88690563_1f600.png to ensure settings are pushed to EAC.

 

Let us know how it goes.

 

Regards,

Ovais

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
Ovais_Qayyum
Extreme Employee

‎11-02-2020 08:39 PM

Hi Christian, 

You can setup computer/machine cert based authentication by following these steps. You would also need to take care of the certificate distribution to your iOS and non-windows devices, that can’t be done with EAC.

1- Point your XCC to the EAC as radius server using the AAA configuration the XCC. Make sure NOT to use local onboarding option in WLAN settings. 

2- On the EAC, you need two types of certificates i.e.

  1. Root CA of the domain that is issuing/signing the certs for your client devices.
  2. Radius cert issued by the same domain. 

3- Load the CA cert on the “Update Trusted Authorities” under AAA settings in EAC.

ff84c0e9b1314bd489d4c90e88690563_acca2528-15ee-4267-b517-ff55611e673e.png

4- Update the Radius cert on the EAC as follows:

ff84c0e9b1314bd489d4c90e88690563_60985aa1-dd79-4a83-9d79-4551e4d9f2f7.png

 

5- Setup LDAP on EAC to authenticate your machines/computers, make sure you set it up with AD machine default values as per following:

ff84c0e9b1314bd489d4c90e88690563_746792af-56e0-47ba-968e-61f88021c60c.png

6- Configure AAA rule as per below and make sure you have correct match pattern for host and LDAP settings selected, usually it is host/* or *@* depending on how your directory service is setup. 

ff84c0e9b1314bd489d4c90e88690563_b9e5dc5c-24b3-4302-b8c2-0629560082e0.png

7- Finally, create an appropriate rule to address the cert based authentication, you either set it to a more generic auth type 802.1x or be more specific and set it to 802.1x EAP-TLS.

ff84c0e9b1314bd489d4c90e88690563_f3f1b8a1-d87b-4ab1-95af-dbdc987bd724.png

 

8- And most importantly, don’t  forget to press the magic “Enforce” button ff84c0e9b1314bd489d4c90e88690563_1f600.png to ensure settings are pushed to EAC.

 

Let us know how it goes.

 

Regards,

Ovais

0 Kudos

Go to solution
Bill_Handler
Contributor II

‎10-26-2020 01:34 PM

Christian,

Much of the config will need to be on the NAC/Extreme Control side of things.  On the XCA/XCC side, you should only need to point to NAC/EC as the RADIUS Server to authenticate against.  There may be more information regarding certificates and NAC in the knowledgebase. 

There is no step-by-step guide that I know of for this.

I do believe that it is shown in the Extreme Control class - or you can connect with a Partner that has experience with NAC/EC

 

Let me know if we can help.

 

Thanks,

Bill

0 Kudos

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎10-24-2020 09:27 AM

Christian,

What you request is quite broad and need some professional services to analyse your specific use cases and implementation.

You could have to go in so many menus and options on NAC that it will not possible to share this on this forum.

You’ll also have to manage the certificate deployment on iOS devices for 802.1X authentication. It is quite tricky to do.

 

Here some step-by-step guides found on the Internet to give you some indications on the configuration steps for NAC:

Regards

Mig

 

0 Kudos

Go to solution
Christian_K_
New Contributor II

‎10-24-2020 09:06 AM

Hello Mig,

 

thx for the awnser, i don´t want to use NPS because the customer has a lot of IPAD´s and NPS is very focused on windows machines.

I have EAC on the customer site and do LDAP Auth with this.

Do you know a “how to”  or “Step by Step” , to configure XCC and EAC using Certificates with EAP Auth ? 

I can only find old “How To´s” with NPS and  V2110 Controller but nothing with modern controllers like XCA or XCC.

Regards 
Christian 
 

0 Kudos
GTM-P2G8KFN