3Com WX2200 3CRWX220095A Switch User Manual


 
AAA Tools for Network Users 447
Ways a WX Switch
Can Use EAP
Network users with 802.1X support cannot access the network unless they
are authenticated. You can configure a WX switch to authenticate users
with EAP on a group of RADIUS servers and/or in a local user database on
the WX, or to offload some authentication tasks from the server group.
Table 39 details these three basic WX authentication approaches.
(For information about digital certificates, see Chapter 20, “Managing
Keys and Certificates,” on page 413.)
PEAP-MS-
CHAP-V2
(Protected EAP
with Microsoft
Challenge
Handshake
Authentication
Protocol
version 2)
The wireless client
authenticates the server
(either the WX switch or a
RADIUS server) using TLS
to set up an encrypted
session. Mutual
authentication is
performed by
MS-CHAP-V2.
Wireless and wired
authentication:
The PEAP
portion is
processed on the
WX switch.
The
MS-CHAP-V2
portion is
processed on the
RADIUS server or
locally,
depending on
the
configuration.
Only the server
side of the
connection
requires a
certificate.
The client needs
only a username
and password.
*EAP-MD5 does not work with Microsoft wired authentication clients.
Table 38 EAP Authentication Protocols for Local Processing (continued)
EAP Type Description Use Considerations
Table 39 Three Basic WX Approaches to EAP Authentication
Approach Description
Pass-through An EAP session is established directly between the client and
RADIUS server, passing through the WX switch. User information
resides on the server. All authentication information and certificate
exchanges pass through the switch or use client certificates issued
by a certificate authority (CA). In this case, the switch does not
need a digital certificate, although the client might.
Local The WX switch performs all authentication using information in a
local user database configured on the switch, or using a
client-supplied certificate. No RADIUS servers are required. In this
case, the switch needs a digital certificate. If you plan to use the
EAP with Transport Layer Security (EAP-TLS) authentication
protocol, the clients also need certificates.