12WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES

Computer authentication also requires specific configuration considerations on the WX switch:

The username of a computer authentication connection will be in the form of host/fully-qualified-domain-name, for example host/bob-laptop.3Com.com or host/tac1-laptop.support.3Com.com. This username is the same regardless of the configured protocol (PEAP-MS-CHAP-V2 or EAP-TLS). An appropriate user- glob would be host/*.domain.com where domain.com is the Active Directory domain name. Alternatively, in a smaller deployment you could use a userglob of ** and have both user and computer authentication go to the same RADIUS server.

PEAP-MS-CHAP-V2 offload mode is not supported with computer authentication. You must use pass-through 802.1X authentication policies with computer authentication.

AAA

The following table lists the AAA servers and configurations that have been tested with MSS. Tests were performed to a local user database in most cases, and additionally to Microsoft Active Directory and LDAP with specific protocols as noted in the table. The tests were initially performed using Dynamic WEP, though subsequent testing has revealed no noticeable differences in RADIUS compatibility when using WPA.

A result of Pass indicates that the combination is supported by MSS. A result of NA (Not Applicable) indicates that the RADIUS server tested does not support the feature. A result of Fail indicates that the RADIUS server does not interoperate with MSS for that fea-

ture. A result of NT (Not Tested) indicates that the feature was not tested.

 

 

RADIUS Servers Tested

 

Configuration

Win

Win

Funk

Cisco

Free-

2000 IAS

2003 IAS

Steel

ACS

Radius

 

 

 

 

Belted

 

(Linux)

 

 

 

Radius

 

 

 

 

 

 

 

PEAP-MS-CHAP-V2 Pass

Pass

Pass

Pass

Pass

 

 

 

 

 

PEAP-MS-CHAP-V2 Pass

Pass

Pass

Pass

Pass

Offload

 

 

 

 

 

 

 

 

 

 

 

EAP-TLS

Pass

Pass

Pass

NT

Pass

 

 

 

 

 

 

EAP-TTLS

NA

NA

Pass

NA

NT

 

 

 

 

 

 

Single-Sign-On

Pass

Pass

Pass

Pass

NA

Active Directory &

 

 

 

 

 

PEAP-MS-CHAP-V2

 

 

 

 

 

 

 

 

 

 

 

Single-Sign-On

NA

NA

Pass

NT

NT

LDAP & EAP-TTLS

 

 

 

 

 

 

 

 

 

 

 

3Com VSAs

Pass

Pass

Pass

Pass

Pass

 

 

 

 

 

 

MAC-based

Pass

Pass

Pass

Pass

Pass

authentication

 

 

 

 

 

 

 

 

 

 

 

Microsoft Active

Pass

Pass

NA

Pass

NA

Directory computer

 

 

 

 

 

authentication

 

 

 

 

 

 

 

 

 

 

 

Testing notes Single-Sign-On is defined as clients being able to use the same username and password for 802.1X authentication that they use to authenticate with network services and logon to their local PC.

A Pass result for 3Com VSAs indicates that the VSAs were able to be added to the RADIUS server manually. Future versions of Steel Belted RADIUS and FreeRadius are planned to include standard definitions of the 3Com VSAs.

Funk Steel Belted Radius version used for testing is 4.53