This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

How to configure XCA or XCC to authenticate domain computers using certificates EAP-TLS

How to configure XCA or XCC to authenticate domain computers using certificates EAP-TLS

Go to solution
Christian_K_
New Contributor II

ā€Ž10-23-2020 09:56 PM

Hello community,

has anybody found a way to use a modern wireless controller like XCA or XCC with a client auth based on certifcates without using an NPS (we have dozens of ipadĀ“s)

I want to find a way where i can create a machine certificate on a system and then join an SSID without username and passwort but only check this certifcate.
 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Ovais_Qayyum
Extreme Employee

ā€Ž11-02-2020 08:39 PM

Hi Christian, 

You can setup computer/machine cert based authentication by following these steps. You would also need to take care of the certificate distribution to your iOS and non-windows devices, that canā€™t be done with EAC.

1- Point your XCC to the EAC as radius server using the AAA configuration the XCC. Make sure NOT to use local onboarding option in WLAN settings. 

2- On the EAC, you need two types of certificates i.e.

  1. Root CA of the domain that is issuing/signing the certs for your client devices.
  2. Radius cert issued by the same domain. 

3- Load the CA cert on the ā€œUpdate Trusted Authoritiesā€ under AAA settings in EAC.

ff84c0e9b1314bd489d4c90e88690563_acca2528-15ee-4267-b517-ff55611e673e.png

4- Update the Radius cert on the EAC as follows:

ff84c0e9b1314bd489d4c90e88690563_60985aa1-dd79-4a83-9d79-4551e4d9f2f7.png

 

5- Setup LDAP on EAC to authenticate your machines/computers, make sure you set it up with AD machine default values as per following:

ff84c0e9b1314bd489d4c90e88690563_746792af-56e0-47ba-968e-61f88021c60c.png

6- Configure AAA rule as per below and make sure you have correct match pattern for host and LDAP settings selected, usually it is host/* or *@* depending on how your directory service is setup. 

ff84c0e9b1314bd489d4c90e88690563_b9e5dc5c-24b3-4302-b8c2-0629560082e0.png

7- Finally, create an appropriate rule to address the cert based authentication, you either set it to a more generic auth type 802.1x or be more specific and set it to 802.1x EAP-TLS.

ff84c0e9b1314bd489d4c90e88690563_f3f1b8a1-d87b-4ab1-95af-dbdc987bd724.png

 

8- And most importantly, donā€™t  forget to press the magic ā€œEnforceā€ button ff84c0e9b1314bd489d4c90e88690563_1f600.png to ensure settings are pushed to EAC.

 

Let us know how it goes.

 

Regards,

Ovais

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
Miguel-Angel_RO
Valued Contributor II

ā€Ž10-24-2020 08:59 AM

Christian,

There are 3 authentication mechanisms in XCC:

  • Local (username/password)
  • Radius (all the radius supported auth types)
  • LDAP (mainly used to validate user or computers on MSAD. with username/password)

If you donā€™t use local (usrername/password) authentication, you need an external Radius server to perform the authentication.

You can use NPS or another.

The advantage of the Extreme Access Control is the integration with the XCC.

 

To perform TLS Auth the Radius has to have the Root certificate of the CA used to generate the Client certificate.

With this Root certificate he can validate the Client certificate and give a positive answer to the XCC.

Regards

Mig

 

 

0 Kudos
li.common.scroll-to.top
GTM-P2G8KFN