3Com 6.0.4.6 set user, Usernames, Passwords, Certificates, Security Best Practices

If you require the same MAC user to be able to connect to more than one SSID, you can use encryption assignment to enforce the type of encryption a user or group must have to access the network. When you assign the Encryption-Type attribute to a user or group, the encryption type or types are entered as an authorization attribute into the user or group record in the local WX switch database or on the RADIUS server. Encryption-Type is an MSS VSA. Clients who attempt to use an unauthorized encryption method are rejected. In this way, a client could connect to any WEP encrypted SSID, but not a clear SSID. (See the Wireless LAN Switch and Controller Configuration Guide for more information.)

MSS and 3WXM provide robust options for securing management access, to WX switches and to the 3WXM client and 3WXM monitoring service. To optimize security for management access, use the following best practices.

When anyone attempts to access a WX switch, the switch authenticates itself by presenting a signed certificate to the management application that is requesting access. The switch’s certificate can come from a certificate authority (CA) or it can be generated and signed by the switch itself.

3Com recommends that you use certificates assigned by a CA. Certificates from a trusted CA are more secure than self-signed certificates. Here are some trusted CAs:

http://www.verisign.com

http://www.entrust.com

http://www.microsoft.com

If you use a self-signed certificate, configure the clients to not validate server certificates. If a client is configured to validate server certificates, the client will not be able to validate a self-signed certificate from the WX switch.

3Com recommends that you do not create usernames that have the same spelling but use different case. For example, do not create both username dang and username DANG.

The CLI, as well as 3WXM, can be secured using pass- words. By default, the following access types do not have passwords configured. Each uses a separate password.

■Console access to the CLI. To secure console access, configure a username and password in the WX switch’s local database, using the set user command. After you configure at least one user- name and password and an access rule to permit them, access to the CLI through the console requires a password. (Access through Telnet or SSH is not possible without a password, even on an unconfigured switch.)

■Access to the enable (configuration) level of the CLI, through the console, or through Telnet or SSH. To secure enable access, configure the enable password using the set enablepass command.