3Com WX1200 3CRWX120695A, WX2200 3CRWX220095A, WX4400 3CRWX440095A, WXR100 3CRWXR10095A Ways a WX Switch Can Use EAP

AAA Tools for Network Users 447

Ways a WX SwitchCan Use EAPNetwork users with 802.1X support cannot access the network unless they are authenticated. You can configure a WX switch to authenticate users with EAP on a group of RADIUS servers and/or in a local user database on the WX, or to offload some authentication tasks from the server group. Table39 details these three basic WX authentication approaches.(For information about digital certificates, see Chapter 20, “Managing Keys and Certificates,” on page 413.)

PEAP-MS-

CHAP-V2

(Protected EAP

with Microsoft

Challenge

Handshake

Authentication

Protocol

version 2)

The wireless client

authenticates the server

(either the WX switch or a

RADIUS server) using TLS

to set up an encrypted

session. Mutual

authentication is

performed by

MS-CHAP-V2.

Wireless and wired

authentication:

The PEAP

portion is

processed on the

WX switch.

The

MS-CHAP-V2

portion is

processed on the

RADIUS server or

locally,

depending on

the

configuration.

Only the server

side of the

connection

requires a

certificate.

The client needs

only a username

and password.

*EAP-MD5 does not work with Microsoft wired authentication clients.

Table38 EAP Authentication Protocols for Local Processing (continued)

EAP Type Description Use Considerations

Table39 Three Basic WX Approaches to EAP Authentication

Approach Description

Pass-through An EAP session is established directly between the client and

RADIUS server, passing through the WX switch. User information

resides on the server. All authentication information and certificate

exchanges pass through the switch or use client certificates issued

by a certificate authority (CA). In this case, the switch does not

need a digital certificate, although the client might.

Local The WX switch performs all authentication using information in a

local user database configured on the switch, or using a

client-supplied certificate. No RADIUS servers are required. In this

case, the switch needs a digital certificate. If you plan to use the

EAP with Transport Layer Security (EAP-TLS) authentication

protocol, the clients also need certificates.