The Manage Certificates window provides a central location for managing the security certificates for your ExtremeControl engines. You can access this window by selecting an engine in the left panel of the Control > Access Control tab and selecting Manage in the right panel.
| NOTE: | ExtremeCloud IQ Site Engine automatically generates alarms as the ExtremeControl Engine Internal Communications Server Certificate, the Captive Server Portal Server Certificate, the RADIUS Server Certificate, the AAA Configuration Truststore, and the ExtremeControl Engine Truststore approach their expiration date. ExtremeCloud IQ Site Engine generates a Notification alarm 30 days before expiring, a Warning alarm 7 days before expiring, and a Critical alarm when the certificate expires. |
|---|
The top section of the window lets you modify the engine's security certificates. During installation, server certificates are generated for each ExtremeControl engine. While these certificates provide secure communication, there can be cases where you want to update to a certificate provided from an external certificate authority, or add certificates in order to meet the requirements of external components with which ExtremeCloud IQ Site Engine must communicate. Additionally, you can use a "browser-friendly" certificate so that users don't see browser certificate warnings when they access web pages.
You can use this section to:
- View and update the Captive Portal server certificate
- View and update the RADIUS server certificate
- View and update the Internal Communications server certificate
The bottom section of the window provides information about the AAA configuration used by the engine group to which the engine belongs.
You can use this section to:
- View the configured AAA authentication behavior to determine whether certificates are used in the authentication process. If your ExtremeControl deployment is using EAP-TLS, PEAP, or EAP-TTLS authentication and the authentication requests are not proxied, certificates are used to provide secure communication between the ExtremeControl RADIUS server and end-systems that are authenticating. However, if your authentication behavior is configured to proxy all 802.1X authentication requests, then certificates are not used.
- View and update the AAA certificate authorities that are trusted to issue client certificates for 802.1X authentication. You only need to do this if your AAA authentication behavior uses certificates.
Any changes made in this window do not take effect until the engine is enforced.
Use this section to view the current configuration for the engine server certificates, and update the certificates, if desired. For complete instructions on replacing and verifying a certificate, see How to Update ExtremeControl Engine Server Certificates.
- Captive Portal Server Certificate
- The Captive Portal server certificate provides secure communication for the ExtremeControl captive portal web pages. Select Update Certificate to open the Update Captive Portal Server Certificate window where you can replace the certificate.
- RADIUS Server Certificate
- The RADIUS server certificate is the certificate sent to end-systems
during certain forms of 802.1X authentication (EAP-TLS, PEAP, and
EAP-TTLS). Select Update
Certificate to open the Update RADIUS Server Certificate window
where you can update to a certificate generated by a Certificate
Authority that your connecting end-systems are already configured to
trust.
NOTE: The current configuration displays "No certificate information is available" if you have not updated the RADIUS server certificate using this window, even though a certificate is generated during installation.
- RADIUS Certificates for EAP Groups
- ExtremeControl includes the capability to specify a domain to store RADIUS server certificate(s), from which you can designate RADIUS certificate(s) for each tenant in your network based on incoming RADIUS Attributes, such as User-Name, NAS-IP-Address, and Calling-Station-ID, instead of using the default RADIUS certificate for all tenants.
- Internal Communications Server Certificate
- The Internal Communications server certificate provides secure communication between components and for ExtremeControl administrative web pages. SelectUpdate Certificate to open the Update Internal Communications Server Certificate window where you can replace the certificate.
- AAA Trusted Certificate Authorities
- This section displays the current authentication behavior configured for the engine and helps you determine whether you can use certificates during authentication. If the engine RADIUS server proxies all 802.1X authentication requests, then certificates are not used. If the engine RADIUS server can terminate 802.1X authentication requests, then certificates are used if you are using EAP-TLS, PEAP, or EAP-TTLS authentication. Use the Edit AAA Configuration button to access your AAA configuration to change this behavior.
For information on related help topics: