Open as PDF
414 CHAPTER 20: MANAGING KEYS AND CERTIFICATES
In the case of wireless or wired authentication 802.1X users whose
authentication is performed by the WX switch, the first stage of any EAP
transaction is Transport Layer Security (TLS) authentication and
encryption. 3Com Wireless Switch Manager and Web Manager also
require a session to the WX switch that is authenticated and encrypted by
TLS. Once a TLS session is authenticated, it is encrypted.
TLS allows the client to authenticate the WX switch (and optionally allows
the WX switch to authenticate the client) through the use of digital
signatures. Digital signatures require a public-private key pair. The
signature is created with a private key and verified with a public key. TLS
enables secure key exchange.
PEAP performs a TLS exchange for server authentication and allows a
secondary authentication to be performed inside the resulting secure
channel for client authentication. For example, the Microsoft Challenge
Handshake Authentication Protocol version 2 (MS-CHAP-V2) performs
mutual MS-CHAP-V2 authentication inside an encrypted TLS channel
established by PEAP.
1 To form the encrypted TLS channel, the WX switch must have a digital
certificate and must send that certificate to the wireless client.
2 Inside the WX switch’s digital certificate is the WX switch’s public key,
which the wireless client uses to encrypt a pre-master secret key.
3 The wireless client then sends the key back to the WX switch so that both
the WX and the client can derive a key from this pre-master secret for
secure authentication and wireless session encryption.
Clients authenticated by PEAP need a certificate in the WX switch only
when the switch performs PEAP locally, not when EAP processing takes
place on a RADIUS server. (For details about authentication options, see
Chapter 21, “Configuring AAA for Network Users,” on page 433.)