cancel
Showing results for 
Search instead for 
Did you mean: 

XIQ: using 802.1X-TLS in a enterprise SSID with a certificate stored in cloud (XIQ)

XIQ: using 802.1X-TLS in a enterprise SSID with a certificate stored in cloud (XIQ)

Volker_Kull
Contributor

In XIQ we have the possibility to use the cloud authentication service where accounts stored in a DB in the XIQ. Why not using a central cloud stored certificate from a private or public PKI to authenticate users/devices with enterprise SSIDs ?

Currently you will need a external radius server only for checking the certificates.

 

br

Volker

3 REPLIES 3

AlexN
Extreme Employee

That one is really good, I’m only thinking where to stick it in - XIQ or Extreme Guest Essentials ? But that’s rhetoric question, let me figure it out inside..

BTW RaaS based on RadSec isn’t really insecure, as TLS authentication there is mutual.

Best regards/Un saludo
Alex

Volker_Kull
Contributor

Hi Alex,

With XiQ we can use several internal (cloud based) authentication sources (guest users, PPSK accounts and users in a XIQ cloud DB which we can match to a 802.1X-PEAP profile). Making life easier and more secure for the customers we want to use this existing internal 802.1X authentication feature to expand this for 802.1X-TLS authentication and use a certificate stored in XIQ for authenticating devices. The goal is to limit the external interfaces like Radius for a simple TLS authentication.

With a cloud only strategy at the customer need to use a cloud based RaaS but with unsecure Radius protocol. This is not secure and difficult to manage: which AP/switch will communicate with RaaS, redundancy, content of response,…

With that this will be a unique selling point.

br Volker

AlexN
Extreme Employee

Hi Volker,

 

but what prevents you from using cloud-based RADIUS server? Azure, for instance, provides such option via Azure AD directory services and/or NPS VM in their cloud.

XIQ is not an Identity Provider/catalog itself. Yes, it provides some identity storage capabilities for simple cases, but there is no intention to turn it into full-fledged cloud IdP.

So I would suggest using integration capabilities of our Cloud solutions to “marry” them with external IdPs, which can be either on-prem or cloud-based. 

Best regards/Un saludo
Alex
GTM-P2G8KFN