cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure XCA or XCC to authenticate domain computers using certificates EAP-TLS

How to configure XCA or XCC to authenticate domain computers using certificates EAP-TLS

Christian_K_
New Contributor II

Hello community,

has anybody found a way to use a modern wireless controller like XCA or XCC with a client auth based on certifcates without using an NPS (we have dozens of ipad´s)

I want to find a way where i can create a machine certificate on a system and then join an SSID without username and passwort but only check this certifcate.
 

1 ACCEPTED SOLUTION

Ovais_Qayyum
Extreme Employee

Hi Christian, 

You can setup computer/machine cert based authentication by following these steps. You would also need to take care of the certificate distribution to your iOS and non-windows devices, that can’t be done with EAC.

1- Point your XCC to the EAC as radius server using the AAA configuration the XCC. Make sure NOT to use local onboarding option in WLAN settings. 

2- On the EAC, you need two types of certificates i.e.

  1. Root CA of the domain that is issuing/signing the certs for your client devices.
  2. Radius cert issued by the same domain. 

3- Load the CA cert on the “Update Trusted Authorities” under AAA settings in EAC.

ff84c0e9b1314bd489d4c90e88690563_acca2528-15ee-4267-b517-ff55611e673e.png

4- Update the Radius cert on the EAC as follows:

ff84c0e9b1314bd489d4c90e88690563_60985aa1-dd79-4a83-9d79-4551e4d9f2f7.png

 

5- Setup LDAP on EAC to authenticate your machines/computers, make sure you set it up with AD machine default values as per following:

ff84c0e9b1314bd489d4c90e88690563_746792af-56e0-47ba-968e-61f88021c60c.png

6- Configure AAA rule as per below and make sure you have correct match pattern for host and LDAP settings selected, usually it is host/* or *@* depending on how your directory service is setup. 

ff84c0e9b1314bd489d4c90e88690563_b9e5dc5c-24b3-4302-b8c2-0629560082e0.png

7- Finally, create an appropriate rule to address the cert based authentication, you either set it to a more generic auth type 802.1x or be more specific and set it to 802.1x EAP-TLS.

ff84c0e9b1314bd489d4c90e88690563_f3f1b8a1-d87b-4ab1-95af-dbdc987bd724.png

 

8- And most importantly, don’t  forget to press the magic “Enforce” button ff84c0e9b1314bd489d4c90e88690563_1f600.png to ensure settings are pushed to EAC.

 

Let us know how it goes.

 

Regards,

Ovais

View solution in original post

5 REPLIES 5

Miguel-Angel_RO
Valued Contributor II

Christian,

There are 3 authentication mechanisms in XCC:

  • Local (username/password)
  • Radius (all the radius supported auth types)
  • LDAP (mainly used to validate user or computers on MSAD. with username/password)

If you don’t use local (usrername/password) authentication, you need an external Radius server to perform the authentication.

You can use NPS or another.

The advantage of the Extreme Access Control is the integration with the XCC.

 

To perform TLS Auth the Radius has to have the Root certificate of the CA used to generate the Client certificate.

With this Root certificate he can validate the Client certificate and give a positive answer to the XCC.

Regards

Mig

 

 

GTM-P2G8KFN