3Com 6.0.4.6 Client and AAA Best Practices, Get Clients and AAA Working First

Follow these best-practice recommendations during configuration and implementation to avoid or solve issues you might experience.

The greatest majority of installation issues are related to clients and AAA server (authentication, authoriza- tion, and accounting) operation. 3Com recommends first establishing a baseline of proper operation with a sampling of wireless clients and the AAA server you plan to use. Working out client and AAA configuration methods first provides valuable information as you scale the deployment.

The selection of client and AAA server software will depend heavily on the requirements of your deploy- ment. First, decide which EAP Protocol you will be using as that will restrict the available clients and servers. Each protocol has different advantages and disadvantages, which you will need to consider in your deployment. For most enterprise deployments, 3Com recommends using PEAP-MS-CHAP-V2 as the 802.1X protocol. The following table compares the EAP protocols.

ProtocolAdvantagesDisadvantages

Although LEAP uses the same ethertype as 802.1X (0x888e), the LEAP protocol is proprietary and does not conform to the IEEE 802.1X standard. Addition- ally, the LEAP protocol has serious security flaws. For example, LEAP-authenticated networks can be

■Username/pass- word-based access might not be as strong as certifi- cate-based access

breached using a simple dictionary attack.

When testing and evaluating MSS, enterprises using primarily Microsoft platforms are recommended to use Windows XP clients running PEAP-MS-CHAP-V2 with a Windows 2000 or 2003 server running Internet Authentication Service (IAS) as the RADIUS back end. This provides a test environment that is quick to set up and does not require additional third-party software.