Points to Note When Using the WXR100, WX1200, WX4400, or WX2200

13

Windows 2000 with Service Pack 4

Cisco ACS 3.2 or later is required to support PEAP-MS-CHAP-V2

WPA

WPA compatibility testing was conducted with a variety of NICs. See “Wireless NICs” for complete details of the results. If you choose to use WPA to secure your wireless network, please note the following:

CCMP (AES 802.11i draft support) is supported only when it is the only encryption type enabled on that SSID. Enabling TKIP or Dynamic WEP on the same SSID with CCMP can cause serious connectivity issues as most clients do not properly support this configuration. 3Com recommends that you create a separate service profile and SSID for WPA/CCMP.

Enabling TKIP and Dynamic WEP on the same SSID is not recommended. This configuration forces the group key (multicast/broadcast key) to use the lowest common encryption type, in this case Dynamic WEP. Additionally, compatibility with wireless NICs is reduced.

Downloading the latest drivers for your wireless NIC is strongly recommended. See “802.1X Cli- ents” for specific information on installing drivers for your operating system.

When a session key is changed, Microsoft WPA cli- ents can sometimes incorrectly start using the new key before the end of the four-way handshake that is used to establish the key information. This issue can occur when the session timeout for the client session expires. As a result, the MAP rejects the cli-

ent’s re-association attempt because the key information presented by the client is invalid.

If you experience this issue, clear the Session-Timeout attribute on the affected users.

The WX switch will not force a reauthentication of WPA/TKIP and WPA/CCMP users periodically like it does with dynamic WEP users.

Do not use the set service-profile shared-key-auth command in a WPA configura- tion. This command does not enable PSK authenti- cation for WPA. To enable PSK for WPA, use the set service-profile auth-psk command.

Use one WPA authentication method per SSID, either 802.1X authentication or preshared key (PSK) authentication, but not both.

Security — Best Practice When Mixing Encrypted Access and Clear Access

It is possible to configure a RADIUS server or a WX switch’s local authentication database so that a user with encrypted access and a user with unencrypted access are authorized to join the same VLAN from different SSIDs. This configuration might allow a hacker to more quickly discover keys by listening to both the encrypted traffic and unencrypted traffic for compari- sons. You can either use the MSS SSID VSA or the encryption assignment VSA to prevent this problem.

If you only have one VLAN that each MAC-auth client should connect to, add the SSID VSA to the account for the MAC-address (either local or RADIUS). This will force the WX switch to only allow that MAC address to connect to the specified SSID.