Open as PDF
AAA Tools for Network Users 447
Ways a WX Switch
Can Use EAP
Network users with 802.1X support cannot access the network unless they
are authenticated. You can configure a WX switch to authenticate users
with EAP on a group of RADIUS servers and/or in a local user database on
the WX, or to offload some authentication tasks from the server group.
Table 39 details these three basic WX authentication approaches.
(For information about digital certificates, see Chapter 20, “Managing
Keys and Certificates,” on page 413.)
The wireless client
authenticates the server
(either the WX switch or a
RADIUS server) using TLS
to set up an encrypted
Wireless and wired
processed on the
processed on the
RADIUS server or
Only the server
side of the
The client needs
only a username
*EAP-MD5 does not work with Microsoft wired authentication clients.
Table 38 EAP Authentication Protocols for Local Processing (continued)
EAP Type Description Use Considerations
Table 39 Three Basic WX Approaches to EAP Authentication
Pass-through An EAP session is established directly between the client and
RADIUS server, passing through the WX switch. User information
resides on the server. All authentication information and certificate
exchanges pass through the switch or use client certificates issued
by a certificate authority (CA). In this case, the switch does not
need a digital certificate, although the client might.
Local The WX switch performs all authentication using information in a
local user database configured on the switch, or using a
client-supplied certificate. No RADIUS servers are required. In this
case, the switch needs a digital certificate. If you plan to use the
EAP with Transport Layer Security (EAP-TLS) authentication
protocol, the clients also need certificates.