cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure XCA or XCC to authenticate domain computers using certificates EAP-TLS

How to configure XCA or XCC to authenticate domain computers using certificates EAP-TLS

Christian_K_
New Contributor II

Hello community,

has anybody found a way to use a modern wireless controller like XCA or XCC with a client auth based on certifcates without using an NPS (we have dozens of ipad´s)

I want to find a way where i can create a machine certificate on a system and then join an SSID without username and passwort but only check this certifcate.
 

1 ACCEPTED SOLUTION

Ovais_Qayyum
Extreme Employee

Hi Christian, 

You can setup computer/machine cert based authentication by following these steps. You would also need to take care of the certificate distribution to your iOS and non-windows devices, that can’t be done with EAC.

1- Point your XCC to the EAC as radius server using the AAA configuration the XCC. Make sure NOT to use local onboarding option in WLAN settings. 

2- On the EAC, you need two types of certificates i.e.

  1. Root CA of the domain that is issuing/signing the certs for your client devices.
  2. Radius cert issued by the same domain. 

3- Load the CA cert on the “Update Trusted Authorities” under AAA settings in EAC.

ff84c0e9b1314bd489d4c90e88690563_acca2528-15ee-4267-b517-ff55611e673e.png

4- Update the Radius cert on the EAC as follows:

ff84c0e9b1314bd489d4c90e88690563_60985aa1-dd79-4a83-9d79-4551e4d9f2f7.png

 

5- Setup LDAP on EAC to authenticate your machines/computers, make sure you set it up with AD machine default values as per following:

ff84c0e9b1314bd489d4c90e88690563_746792af-56e0-47ba-968e-61f88021c60c.png

6- Configure AAA rule as per below and make sure you have correct match pattern for host and LDAP settings selected, usually it is host/* or *@* depending on how your directory service is setup. 

ff84c0e9b1314bd489d4c90e88690563_b9e5dc5c-24b3-4302-b8c2-0629560082e0.png

7- Finally, create an appropriate rule to address the cert based authentication, you either set it to a more generic auth type 802.1x or be more specific and set it to 802.1x EAP-TLS.

ff84c0e9b1314bd489d4c90e88690563_f3f1b8a1-d87b-4ab1-95af-dbdc987bd724.png

 

8- And most importantly, don’t  forget to press the magic “Enforce” button ff84c0e9b1314bd489d4c90e88690563_1f600.png to ensure settings are pushed to EAC.

 

Let us know how it goes.

 

Regards,

Ovais

View solution in original post

5 REPLIES 5

Ovais_Qayyum
Extreme Employee

Hi Christian, 

You can setup computer/machine cert based authentication by following these steps. You would also need to take care of the certificate distribution to your iOS and non-windows devices, that can’t be done with EAC.

1- Point your XCC to the EAC as radius server using the AAA configuration the XCC. Make sure NOT to use local onboarding option in WLAN settings. 

2- On the EAC, you need two types of certificates i.e.

  1. Root CA of the domain that is issuing/signing the certs for your client devices.
  2. Radius cert issued by the same domain. 

3- Load the CA cert on the “Update Trusted Authorities” under AAA settings in EAC.

ff84c0e9b1314bd489d4c90e88690563_acca2528-15ee-4267-b517-ff55611e673e.png

4- Update the Radius cert on the EAC as follows:

ff84c0e9b1314bd489d4c90e88690563_60985aa1-dd79-4a83-9d79-4551e4d9f2f7.png

 

5- Setup LDAP on EAC to authenticate your machines/computers, make sure you set it up with AD machine default values as per following:

ff84c0e9b1314bd489d4c90e88690563_746792af-56e0-47ba-968e-61f88021c60c.png

6- Configure AAA rule as per below and make sure you have correct match pattern for host and LDAP settings selected, usually it is host/* or *@* depending on how your directory service is setup. 

ff84c0e9b1314bd489d4c90e88690563_b9e5dc5c-24b3-4302-b8c2-0629560082e0.png

7- Finally, create an appropriate rule to address the cert based authentication, you either set it to a more generic auth type 802.1x or be more specific and set it to 802.1x EAP-TLS.

ff84c0e9b1314bd489d4c90e88690563_f3f1b8a1-d87b-4ab1-95af-dbdc987bd724.png

 

8- And most importantly, don’t  forget to press the magic “Enforce” button ff84c0e9b1314bd489d4c90e88690563_1f600.png to ensure settings are pushed to EAC.

 

Let us know how it goes.

 

Regards,

Ovais

Bill_Handler
Contributor II

Christian,

Much of the config will need to be on the NAC/Extreme Control side of things.  On the XCA/XCC side, you should only need to point to NAC/EC as the RADIUS Server to authenticate against.  There may be more information regarding certificates and NAC in the knowledgebase. 

There is no step-by-step guide that I know of for this.

I do believe that it is shown in the Extreme Control class - or you can connect with a Partner that has experience with NAC/EC

 

Let me know if we can help.

 

Thanks,

Bill

Miguel-Angel_RO
Valued Contributor II

Christian,

What you request is quite broad and need some professional services to analyse your specific use cases and implementation.

You could have to go in so many menus and options on NAC that it will not possible to share this on this forum.

You’ll also have to manage the certificate deployment on iOS devices for 802.1X authentication. It is quite tricky to do.

 

Here some step-by-step guides found on the Internet to give you some indications on the configuration steps for NAC:

Regards

Mig

 

Christian_K_
New Contributor II

Hello Mig,

 

thx for the awnser, i don´t want to use NPS because the customer has a lot of IPAD´s and NPS is very focused on windows machines.

I have EAC on the customer site and do LDAP Auth with this.

Do you know a “how to”  or “Step by Step” , to configure XCC and EAC using Certificates with EAP Auth ? 

I can only find old “How To´s” with NPS and  V2110 Controller but nothing with modern controllers like XCA or XCC.

Regards 
Christian 
 

GTM-P2G8KFN