XMC EAC with 802.1X and Windows

Create a rule for machine login that checks the computer is a domain joined machine. A Windows machine in a logged out state will add “host” in front of the hostname and in order to authenticate the machine EAC needs to perform a User lookup in Active Directory.

This lookup uses a servicePrincipalName and an LDAP authentication rule should be added which looks for host/* and searches AD using an LDAP Configuration that searches based on servicePrincipalName. This means an additional LDAP Configuration will be needed to lookup machines to validate they are allowed on the network. It can still use the same LDAP server as for User logins but the attributes will be different.

This is covered by the following GTAC solution which can be referenced and used for your own XMC EAC implementation. The key point to note is that in End Systems table the Username column will show different information for when there is nobody logged into the machine and when somebody has logged into the machine. This is why there is a need for two LDAP Configurations, one that covers Machine logins (servicePrincipalName) and one which covers Machine (cn) and User (sAmAccountName) logins.



XMC Hints

XMC Installation

To rerun the post install script…

cd /usr/postinstall



Check server log file

tail -f /usr/local/Extreme_Networks/Netsight/appdata/logs/server.log

Check Spanning Tree status using FlexView

Select switches from Devices and use FlexView to open a new tab with Bridge Spanning Tree Information or Bridge Port Summary Information.

Terminal CLI

Select multiple devices by type and choose Device>Execute CLI Commands… and run commands across multiple devices. View results and/or Export results to a file.

Interface Statistics

From FlexView (Interface Statistics) select a column such as In Discards or In Errors and use a Filter >0 to pick out interfaces with errors.


XMC NAC EAP Error TLS Cipher

If seeing the error below in the Status Description field under Events for end-systems after upgrading NAC (>7.0) try the listed parameters to the engine.

eap_tls: TLS Alert write:fatal:handshake failure eap_tls: SSL says: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher eap_tls: SSL_read failed in a system call (-1), TLS session  failed eap_tls: TLS receive handshake failed during operation eap_tls: [eaptls process] = fail eap: Failed continuing EAP TLS (13) session. EAP sub-module failed

Apply these two Appliance Properties to the NAC appliance:



TLS-CipherNote: This was helpful for the XP test machine I was using.

XMC NAC Host Lookup

When using the “LDAP Host Group” component of a NAC rule, it means that the Hostname resolved by NAC must be present in the LDAP server’s database in order to match that component.  If the Hostname was resolved only by DHCP,  and therefore has no FQDN, chances are the LDAP lookup will fail.  In this case you can try changing the Host Search Attribute in the associated LDAP Config from “dNSHostName” to “name”.


How to do EAP-TLS with Control

Using certificates is more secure than just using the username and password for authentication.


What is needed for Certificate:

Private key generated by CLI or Browser.

CSR generated by CLI or Browser.

CA will generate the certificate based on CSR through CLI or Browser.



Generate a Server Private Key

Use the following steps to generate an encrypted RSA private key.

1.Enter the following command to use OpenSSL to generate a password-encrypted PKCS #8 formatted server private key file. Use the key size and output file name you prefer. (If you are unsure of the key size, use 2048.)

openssl genrsa <key size> | openssl pkcs8 -topk8 -out <output file>

For example:

openssl genrsa 2048 | openssl pkcs8 -topk8 -out server.key

2.You will be prompted for an Encryption Password. Be sure to make a note of the password that you enter. If the password is lost, you will need to generate a new server private key and a new server certificate.



CN should use the FQDN of the ACE.

Create a Certificate Signing Request

Use the following steps to create a Certificate Signing Request (CSR).

1.Enter the following command to generate a CSR file. Use the output file name you used in step 1 above as the input file, and specify the output file name you prefer:

openssl req -new -key <input file> -out <output file>

For example:

openssl req -new -key server.key -out server.csr

2.You will be prompted for information that will appear in the certificate. When you are prompted for a Common Name, specify the fully qualified host name of the NAC appliance. For example:

Common Name (eg, YOUR name) []:nac1.mycompany.com

If you are creating a client and/or server certificate CSR request for use with PEAP or EAP-TLS, you may need to add an extension to the command used to generate the CSR file. Server and client certificates require an extension in order to operate as intended. Verify with your certificate vendor whether they require that the extensions are part of the CSR or are included in the certificate when the request is made. The following are command examples of the CSR request that include each of the extension options available.

•If the CSR is for the NAC appliance, the command must include:
openssl req -new -reqexts server_auth -key <input file> -out <output file>
•If the CSR is for a client, the command must include:
openssl req -new -reqexts client_auth -key <input file> -out <output file>
•If the CSR is for both the NAC appliance and client, the command must include:
openssl req -new -reqexts server_and_client_auth -key <input file> -out <output file>


Verify CSR by openSSL:

openssl req -text -noout -verify -in <csrfile.csr>

Submit the Request to a Certificate Authority

The procedure for submitting a CSR to a Certificate Authority (CA) varies with the service used. Usually, it is done through a website using a commercial service such as VeriSign. You can also use an in-house CA, which generates certificates used internally by your enterprise. You will provide information including the contents of the CSR, and receive back one or more files containing the server certificate and possibly other certificates to be used in a chain.













Install certificate to client computer by GPO which is transparent for users. There should be a user certificate (in Certificates – Current User : Personal>Certificates) and a CA certificate installed (in Trusted Root Certificate Authorities) on the client.

Note: Some browsers may prevent you from seeing and choosing different settings such as key length when asking for the User certificate. Verify the certificate is installed using run mmc and add certificates snap-in. Also open the installed certificate and look at the details to gather more detail.


Certificate Configuration (XMC)

During installation, Access Control generates a unique private key and server
certificate for the NAC Manager RADIUS server. This certificate provides basic
functionality while you are configuring and testing your NAC Manager
deployment. To integrate with the certificate structure you already have on your
network, update to a certificate generated by a Certificate Authority that your
connecting end-systems are already configured to trust.

Update RADIUS Server Certificate Window

The RADIUS server certificate is the certificate sent to end-systems during
certain forms of 802.1X authentication. If the appliance RADIUS server will proxy
all 802.1X authentication requests, then certificates are not used. If the appliance
RADIUS server can terminate 802.1X authentication requests, then certificates
will be used if you are using EAP-TLS, PEAP, or EAP-TTLS authentication. The
Update RADIUS Server Certificate window in NAC Manager lets you replace the
server certificate.

Refer to hep topic How to Update Access Control Engine Server Certificates in Extreme Management Center (Legacy) in the EMC NAC Manager User Guide.

In addition, to configure the AAA Trusted Certificate Authorities to designate
which client certificates can be trusted see the Update AAA Trusted Certificate Authorities Window help topic.

LDAP Authentication (XMC)

LDAP authentication uses a backend Active Directory server or LDAP server
defined in your AAA Configuration to authenticate users. Additionally, some
protocols also require RADIUS server and client certificates to be used in
conjunction with LDAP authentication.

Active Directory

Supported Protocols: PAP, MsCHAP, PEAP, EAP-MsCHAPV2, and EAP-TTLS
with tunneled PAP.

PAP or EAP-TTLS with tunneled PAP protocols

During the authentication process, the Access Control engine sends an LDAP
bind request to the Active Directory domain controller using the password
retrieved from the end user’s authentication request. Therefore, the LDAP
protocol must be allowed between the Access Control engine and the Active
Directory domain controller for the authentication process to take place.

MsCHAP, PEAP, and EAP-MsCHAPv2 protocols

These three protocols work with Active Directory (and not other LDAP servers)
because they use NT Hash for password encryption, which is the same
password hash type used by the Microsoft Active Directory domain controller.

Local Authentication

Local authentication uses a local password repository defined in your AAA
Configuration to authenticate users. Additionally, some protocols also require
RADIUS server and client certificates to be used in conjunction with local

When you add or edit a user in your local password repository, you can specify
the password hash type used to encrypt the user’s password in the Extreme
Management Center and NAC Manager databases.


Local RADIUS Termination at the Access Control Engine

How to configure authentication using the Access Control engine RADIUS server to locally terminate 802.1X EAP authentication requests. There are three methods that can be used to do this, depending on the protocol that is used:

  • LDAP Authentication – Uses a backend Active Directory server or LDAP server, and
    RADIUS server and client certificates (if required) to authenticate users.
  • Local Authentication – Uses a local password repository, and RADIUS server and
    client certificates (if required) to authenticate users.
  • RADIUS Certificates only – Uses only RADIUS server and client certificates to
    authenticate users (no password is required).

The chart below lists the hash types supported by each protocol for user password
encryption. Note that PEAP (TLS) is not supported for local RADIUS termination
and is only supported in a proxy RADIUS configuration. If passwords are required, you can then decide whether to use LDAP or local authentication for password verification.