Hello community,
has anybody found a way to use a modern wireless controller like XCA or XCC with a client auth based on certifcates without using an NPS (we have dozens of ipad´s)
I want to find a way where i can create a machine certificate on a system and then join an SSID without username and passwort but only check this certifcate.
Best answer by Ovais Qayyum
Hi Christian,
You can setup computer/machine cert based authentication by following these steps. You would also need to take care of the certificate distribution to your iOS and non-windows devices, that can’t be done with EAC.
1- Point your XCC to the EAC as radius server using the AAA configuration the XCC. Make sure NOT to use local onboarding option in WLAN settings.
2- On the EAC, you need two types of certificates i.e.
- Root CA of the domain that is issuing/signing the certs for your client devices.
- Radius cert issued by the same domain.
3- Load the CA cert on the “Update Trusted Authorities” under AAA settings in EAC.

4- Update the Radius cert on the EAC as follows:

5- Setup LDAP on EAC to authenticate your machines/computers, make sure you set it up with AD machine default values as per following:

6- Configure AAA rule as per below and make sure you have correct match pattern for host and LDAP settings selected, usually it is host/* or *@* depending on how your directory service is setup.

7- Finally, create an appropriate rule to address the cert based authentication, you either set it to a more generic auth type 802.1x or be more specific and set it to 802.1x EAP-TLS.

8- And most importantly, don’t forget to press the magic “Enforce” button to ensure settings are pushed to EAC.
Let us know how it goes.
Regards,
Ovais