How to Implement 802.1X Authentication with Microsoft Entra ID

---

This Help topic describes the steps for implementing an 802.1X authentication and OAuth 2.0 authorization with Microsoft Entra ID (formerly Azure AD). For additional information, watch this video - EntraID with 802.1X.

A common use case for this configuration is to apply different network authorizations to different users based on the security group membership in the Entra ID.

This topic includes information and instructions on:

• Requirements for Entra ID Registration
• Creating an Entra ID Application
• AAA Rule Configuration
• User Groups Configuration
• Access Control Rule Configuration
• End-System 802.1X Configuration

Requirements

These are the configuration requirements for Entra ID Registration.

• The Access Control Engine must have Internet access in order to retrieve user information from Microsoft.
• Create a unique Microsoft Entra ID application on the Microsoft Entra ID page (see instructions below).

NOTE:

You must copy and paste some text values between applications during the registration and configuration. Ensure you copy and save the required values when instructed, as some are unique secret values that cannot be viewed or received again.

Creating an Entra ID Application

When implementing an 802.1X authentication using Entra ID and OAuth 2.0, you must first create an Entra ID application. This generates an Application ID and Application Secret that are required as part of the ExtremeCloud IQ Site Engine. Use the following steps to create and register an Entra ID application.

1. Access the Microsoft Entra ID page with your Admin credentials at https://portal.azure.com or https://entra.microsoft.com.
2. Select Manage Microsoft Entra ID > View.
3. Select App registrations > New registration.
   
   
4. Enter the following information into the required fields:
   • Name - Enter a name for the Entra ID registered application
     
   • Supported account types - Select Accounts in this organization directory only - (Single tenant)
5. Select Register.
   
   
6. Select Add a certificate or secret, OR you can navigate to Certificates & secrets in the left menu.
7. Select New client secret.
8. Enter the following information into the required fields:
   • Description - your description of the new credentials
   • Expires - define how long the client secret is valid, when the client secret expires the user cannot authenticate

     • NOTE:

       The expiration of the client secret cannot be modified in Entra ID. The best practice is to create a new client secret before the existing one expires and update the value in ExtremeControl settings.

9. Select Add.
   
   
   
   
10. Copy the secret value to the clipboard. This is the only time the client secret is displayed. Save the secret value for your App Secret.
    
    
    
11. Select API permissions > Add a permission.
    
    
12. Select Microsoft Graph > Delegated permissions
    
13. If you require a different authorization to apply for different users based on security group membership, select the following additional delegated permissions:
    • In the Directory group select:
      • Directory.Read.All

    • In the Group Member group select:

      • GroupMember.Read.All

    • In the User group select:

      • User.Read.All

14. If you performed the previous step, select Application permissions and add the following additional permissions:

    • In the Directory group select:

      • Directory.Read.All

    • In the Group Membership group select:

      • GroupMembership.Read.All

    • In the User group select:

      • User.Read.All

15. Select Add permissions.
16. Select Grant admin consent for <your company domain>, and select Yes to confirm.
    
    
17. Select Overview.
18. Copy the displayed Application (client) ID value. Save this value for your App ID.
19. Select Endpoints.
20. Copy the displayed OAuth 2.0 token endpoint (v2) value. Save this value for your Token Endpoint.

AAA Rule Configuration

You must provide the values you saved during the creation and registration of the Entra ID application in the AAA Configuration.

Use the following steps to configure an 802.1X authentication with Entra ID:

1. From ExtremeCloud IQ Site Engine, open the Control > Access Control tab.
2. In the left-panel tree, navigate to Configuration > AAA > select the advanced configuration to use .
3. In the Authentication Rules area, select Add.
4. In the Authentication Type field, select 802.1X.
5. In the User/MAC/Host field, select Pattern of usernames to use the AAA rule.
6. In the Authentication Method field, select Entra ID.
7. Select Manage Entra IDs
   .
8. Select Add.
   
9. Enter the following information into the required fields:

   • Enable - select to check

   • Entra ID Name - enter the name of this Entra ID. The name has local meaning only.

   • Realm - specifies the Entra ID configuration to use based on the username. Realm is usually the part after the @ in the login username.

   • App ID - enter the value copied as "Application (client) ID"

   • App Secret - enter the value copied as "Client Secret"

   • Token Endpoint - enter the value copied as "OAuth 2.0 token endpoint (v2)"

10. Select OK.
11. Select Save.
12. Enforce the new configuration to your engines.

User Group Configuration

After you have configured the AAA rules for 802.1X using the steps above, use the following steps to configure a User Group:

1. From ExtremeCloud IQ Site Engine, open the Control > Access Control > Group Editor > User Groups.
2. Select Add.
3. In the Name field, enter a name for the user group.
4. In the Create Group area, click Add.
5. In the Attribute Name, enter memberOf.
6. In the Attribute Value, enter the name of the security or Microsoft365 group. You can exactly match the group name or use a wild card *.
7. Select Save.

Access Control Rule Configuration

After you have configured the AAA rules for 802.1X and the User Groups configuration using the steps above, use the following steps to configure an Access Control Rule:

1. From ExtremeCloud IQ Site Engine, open the Control > Access Control > Configuration > select your configuration > Rules.
2. Select Add.
3. In the Name field, enter a name for the rule.
4. Select the Rule Enabled checkbox.
5. In the Description field, enter a description for the rule.
6. In the User Group field, select the user group you created during the User Group Configuration.
7. In the Authentication Method field, select 802.1X (TTLS).
8. Select Save.
9. Enforce the new configuration to your engines.

End-System 802.1X Configuration

You must configure the end-system to use IEEE 802.1X authenticated network access. The following is an example using a Windows 11 client.

After you have configured the AAA rules, the User Groups configuration, and the Access Control Rule configuration using the steps above, you must configure 802.1X on the end-system:

1. From Windows 11 search, type view network connections, then select Open.
2. Right-click on the network connection you need to configure, and select Properties.
3. Select the Authentication tab.
4. Ensure Enable IEEE 802.1X authentication is checked.
5. In the Choose a network authentication method, select Microsoft: EAP TTLS.
6. Select Settings.
7. In the Trusted Root Certification Authorities area of TTLS Properties, select the CA issued certificate for your Access Control Engines.
8. In the Client authentication area of TTLS Properties, select the Select a non-EAP method for authentication, and then select Unencrypted password (PAP) from the drop-down menu. 
   

   NOTE:

   The unencrypted password credentials travel through an encrypted tunnel.

9. Select OK, then select OK again.
   

---

Related Information

For information on related help topics:

• How to Update ExtremeControl Engine Server Certificates
• Manage Certificates