Solved

How to configure XCA or XCC to authenticate domain computers using certificates EAP-TLS

  • 23 October 2020
  • 5 replies
  • 76 views

Hello community,

has anybody found a way to use a modern wireless controller like XCA or XCC with a client auth based on certifcates without using an NPS (we have dozens of ipad´s)

I want to find a way where i can create a machine certificate on a system and then join an SSID without username and passwort but only check this certifcate.
 

icon

Best answer by Ovais Qayyum 2 November 2020, 21:39

Hi Christian, 

You can setup computer/machine cert based authentication by following these steps. You would also need to take care of the certificate distribution to your iOS and non-windows devices, that can’t be done with EAC.

1- Point your XCC to the EAC as radius server using the AAA configuration the XCC. Make sure NOT to use local onboarding option in WLAN settings. 

2- On the EAC, you need two types of certificates i.e.

  1. Root CA of the domain that is issuing/signing the certs for your client devices.
  2. Radius cert issued by the same domain. 

3- Load the CA cert on the “Update Trusted Authorities” under AAA settings in EAC.

4- Update the Radius cert on the EAC as follows:

 

5- Setup LDAP on EAC to authenticate your machines/computers, make sure you set it up with AD machine default values as per following:

6- Configure AAA rule as per below and make sure you have correct match pattern for host and LDAP settings selected, usually it is host/* or *@* depending on how your directory service is setup. 

7- Finally, create an appropriate rule to address the cert based authentication, you either set it to a more generic auth type 802.1x or be more specific and set it to 802.1x EAP-TLS.

 

8- And most importantly, don’t  forget to press the magic “Enforce” button :grinning: to ensure settings are pushed to EAC.

 

Let us know how it goes.

 

Regards,

Ovais

View original

5 replies

Userlevel 6
Badge +1

Christian,

There are 3 authentication mechanisms in XCC:

  • Local (username/password)
  • Radius (all the radius supported auth types)
  • LDAP (mainly used to validate user or computers on MSAD. with username/password)

If you don’t use local (usrername/password) authentication, you need an external Radius server to perform the authentication.

You can use NPS or another.

The advantage of the Extreme Access Control is the integration with the XCC.

 

To perform TLS Auth the Radius has to have the Root certificate of the CA used to generate the Client certificate.

With this Root certificate he can validate the Client certificate and give a positive answer to the XCC.

Regards

Mig

 

 

Hello Mig,

 

thx for the awnser, i don´t want to use NPS because the customer has a lot of IPAD´s and NPS is very focused on windows machines.

I have EAC on the customer site and do LDAP Auth with this.

Do you know a “how to”  or “Step by Step” , to configure XCC and EAC using Certificates with EAP Auth ? 

I can only find old “How To´s” with NPS and  V2110 Controller but nothing with modern controllers like XCA or XCC.

Regards 
Christian 
 

Userlevel 6
Badge +1

Christian,

What you request is quite broad and need some professional services to analyse your specific use cases and implementation.

You could have to go in so many menus and options on NAC that it will not possible to share this on this forum.

You’ll also have to manage the certificate deployment on iOS devices for 802.1X authentication. It is quite tricky to do.

 

Here some step-by-step guides found on the Internet to give you some indications on the configuration steps for NAC:

Regards

Mig

 

Userlevel 3

Christian,

Much of the config will need to be on the NAC/Extreme Control side of things.  On the XCA/XCC side, you should only need to point to NAC/EC as the RADIUS Server to authenticate against.  There may be more information regarding certificates and NAC in the knowledgebase. 

There is no step-by-step guide that I know of for this.

I do believe that it is shown in the Extreme Control class - or you can connect with a Partner that has experience with NAC/EC

 

Let me know if we can help.

 

Thanks,

Bill

Userlevel 3

Hi Christian, 

You can setup computer/machine cert based authentication by following these steps. You would also need to take care of the certificate distribution to your iOS and non-windows devices, that can’t be done with EAC.

1- Point your XCC to the EAC as radius server using the AAA configuration the XCC. Make sure NOT to use local onboarding option in WLAN settings. 

2- On the EAC, you need two types of certificates i.e.

  1. Root CA of the domain that is issuing/signing the certs for your client devices.
  2. Radius cert issued by the same domain. 

3- Load the CA cert on the “Update Trusted Authorities” under AAA settings in EAC.

4- Update the Radius cert on the EAC as follows:

 

5- Setup LDAP on EAC to authenticate your machines/computers, make sure you set it up with AD machine default values as per following:

6- Configure AAA rule as per below and make sure you have correct match pattern for host and LDAP settings selected, usually it is host/* or *@* depending on how your directory service is setup. 

7- Finally, create an appropriate rule to address the cert based authentication, you either set it to a more generic auth type 802.1x or be more specific and set it to 802.1x EAP-TLS.

 

8- And most importantly, don’t  forget to press the magic “Enforce” button :grinning: to ensure settings are pushed to EAC.

 

Let us know how it goes.

 

Regards,

Ovais

Reply