Home Knowledge Base SecureW2 Documentation How to Setup EAP-TLS WPA2-Enterprise with Extreme Networks

How to Setup EAP-TLS WPA2-Enterprise with Extreme Networks

Introduction

Using SecureW2 WPA2-Enterprise Onboarding Software and PKI Services with your Extreme Networks Access Points can vastly improve network security and user experience, and significantly reduce the number of Wi-Fi-related support tickets. It enables organizations to adopt certificate-based network authentication and easily replace Wi-Fi passwords.

Credential-based authentication is vulnerable to over-the-air credential theft and results in a poor end-user experience due to mandatory password-change policies.

SecureW2 streamlines 802.1x authentication management, making it easier for admins to monitor devices. End users can enroll for a certificate and self-configure their devices in minutes. Plus, it’s authenticated for as long as the certificate is valid, so end users don’t have to reconfigure their devices every couple of months, unlike passwords.

This guide covers integrating SecureW2 with the Extreme Networks ECA to enable organizations to support EAP-TLS certificate-based 802.1x authentication easily.

Tech Overview

  1. Configuring SecureW2 PKI services:
    1. Deploying and maintaining a PKI isn’t easy; that’s why SecureW2 offers turnkey cloud-based PKI services to make it incredibly easy to support certificate-based authentication.
  2. Configuring SecureW2 RADIUS to ECA:
      1. SecureW2 cloud-based RADIUS server integrates with any software, doesn’t require a major overhaul, and is great for clients who don’t want additional infrastructure.
      2. SecureW2 PKI Services also integrate with any RADIUS server if you have existing infrastructure.
  3. Configuring Secure SSID as WPA2-Enterprise EAP-TLS:
      1. Many have thought that EAP-TLS was too difficult to deploy. SecureW2 shows that not only does EAP-TLS credential-based authentication provide better network security, but it can also be set up in a matter of hours rather than days.
  4. Configure ECA’s Onboarding SSID:
      1. Once you’ve configured the settings, SecureW2 allows you to customize a landing page and SSID to onboard and authenticate devices properly.

Prerequisites and Limitations

  1. A SecureW2 Network Profile configured for EAP-TLS.
  2. An ExtremeCloud Appliance (ECA).
  3. An Extreme Access Point compatible with ECA (this guide uses an AP3915i).

Integrating the SecureW2 Cloud RADIUS

  1. From the left-hand side panel, navigate to ONBOARD > AAA.
  2. On the Default AAA Configuration page, click the Add button under RADIUS Servers.
  3. Configure the following parameters for the SecureW2 RADIUS server:

    NOTE: In the JoinNow Management portal, navigate to RADIUS > RADIUS Configuration. Copy the required IP address and Port numbers.Radius Configuration window for Extreme Networks EAP-TLS WPA2-Enterprise integration.
    1. For RADIUS Server IP address <SecureW2 RADIUS IP Address>.
    2. For Authorization Client UDP Port <SecureW2 RADIUS Port>.
    3. For Shared Secret <SecureW2 RADIUS Shared Secret>.
  4. Click the Save button on the top right-hand side.
  5. This process needs to be repeated to add both the Primary and Secondary IP Addresses.

Creating a WPA2-Enterprise Onboarding SSID

  1. Navigate to Networks > Add.
  2. Configure the following parameters:
    1. Network Name – Example: Onboard.
    2. SSID – Enter a character string to identify the wireless network.
    3. Status – Enable the network service.
    4. Auth Type – Open.
    5. Enable Captive Portal – Check this option to enable captive portal support.
    6. Captive Portal Type – Select External.
    7. ECP URL – URL address of the SecureW2 network profile.
    8. Walled Garden Rules – Click Walled Garden Rules to configure policy rules for the external captive portal.
    9. Click on L3, L4 Rules (IP and Port) Rules(0 Rules) > New.
    10. Create entries to allow end-user devices to reach SecureW2 servers, Google Play Store, and to disable CNA browsers:
      1. For a full list of resources that can be allowed in the Walled Garden, please refer to the SecureW2 JoinNow Configuration Guide in the Management Portal.
  3. Click Save.

Configure the WPA2-Enterprise Secure SSID

  1. Navigate to Networks > Add.
  2. Configure the following parameters:
    1. Network Name – Example: SecureSSID.
    2. SSID – Enter a character string to identify the wireless network.
    3. Status – Enable the network service.
    4. Auth Type – WPA2 Enterprise w/ RADIUS.
    5. Authentication Method – RADIUS.
    6. Primary RADIUS – SecureW2 RADIUS IP Address added earlier.
    7. Backup RADIUS – Other SecureW2 RADIUS IP Address added earlier.
    8. Default Auth Role – Select Enterprise User.
    9. Default VLAN – Select a VLAN.
  3. Click Save.

Assigning the Configured Networks to a Site

  1. Go to the Sites tab and select the preferred site that is already configured.
  2. Click Configure Site.
  3. Click the Device Groups tab and select a device group.
  4. Click on the Profile field to edit the device group profile.
  5. Go to the Networks tab and select the configured network.
  6. Go to the Roles tab and select the previously configured roles.
  7. Click OK > Save.

Once that’s finished, you’re all set!

Ready to get started configuring your ECA for EAP-TLS? SecureW2 offers affordable options for organizations of all shapes and sizes. Click here to check out our pricing form.

Extreme is either a registered trademark or trademarks of Extreme Networks in the United States and/or other countries. Other trademarks, logos, and service marks used in this site are the property of SecureW2 or other third parties.

More Extreme Networks Explainers