Extreme Networks

I am working on getting our AP410C access points (managed with ExtremeCloud IQ) to authenticate to our switches via Radius (PEAP-MSCHAP/V2). Why? Well, I don't like the idea of APs being in publicly accessible areas where someone could just unplug the AP, plug their own device in and have unfettered access to the network. I have looked into trunking, but since I don't have any kind of trunk-encryption nor authentication available to me, it would effectively be a "security through obscurity" measure (if one knows trunking is being used on that port, they could - in theory - configure their device to use trunking as well bypassing such a "security" measure).

So, to prevent such unauthorized access, I figure using 802.1x would be ideal. Granted, since I need to disable client limits for 802.1x on the AP ports on our switches to prevent WiFi client MACs from getting blocked, this could probably be circumvented with an inline switch and a POE injector, so it is not a perfect security measure by any means. But, it would make the effort required to bypass it greater.

Now, to be sure, I have basic 802.1x "working" - I can get the AP to authenticate to our RADIUS servers when 802.1x is enabled on the ports the APs are connecting to. However, I did notice that the "XIQ 802.1x Supplicant Configuration for Wired Authentication" guide did not indicate anything about installing a certificate to validate the RADIUS server (which, with PEAP authentication, is pretty important since that validation step is what prevents the user credentials from being leaked to a fake/rogue RADIUS server on the network). Digging through the CLI Guide, it seemed like I was able to get my CA-Cert installed. However, since I could not find clear documentation dealing with this aspect of 802.1x, I opted to test the supplicant authentication of the RADIUS server by giving the AP a bogus CA-Cert (which I generated using OpenSSL). What I found was that the AP did not seem to care what cert I used - it happily authenticated regardless.

I tested the bogus cert on a Polycom Phone just to be certain that it wasn't an issue with how our RADIUS servers are configured, and I confirmed that with the bogus cert installed on the phone it would not authenticate, suggesting that the issue is with the AP and/or my configuration thereof.

Any suggestions as to what I might be doing wrong here? Or is this a bug with the OS on the AP (currently running 10.6.6.0)?

CLI Commands Used:
save supplicant cert-file https://SOMEINTERNALSERVER.LOCAL/cert/REAL-CERT.pem
supplicant PRSdot1x
supplicant PRSdot1x ca-cert REAL-CERT.pem
supplicant PRSdot1x eap-type peap
supplicant PRSdot1x username USER password PASS
interface eth0 supplicant PRSdot1x
interface eth1 supplicant PRSdot1x

CLI Commands Used for BOGUS Cert:
save supplicant cert-file https://SOMEINTERNALSERVER.LOCAL/cert/SNAKEOIL.pem
supplicant PRSdot1x
supplicant PRSdot1x ca-cert SNAKEOIL.pem
supplicant PRSdot1x eap-type peap
supplicant PRSdot1x username USER password PASS
interface eth0 supplicant PRSdot1x
interface eth1 supplicant PRSdot1x

Sources:
XIQ - How can I enable wired 802.1x port authentication:
https://community.extremenetworks.com/t5/extremecloud-iq/xiq-how-can-i-enable-wired-802-1x-port-auth...

Aerohive CLI Guide:
https://docs.aerohive.com/330000/docs/help/english/documentation/cli_guide_ap630_ap650_ap650x-10-0r5...

Supplemental CLI:
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000056868&q=S-CLI

XIQ 802.1x Supplicant Configuration for Wired Authentication:
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000098779