AAA Tools for Network Users
447
Ways a WX Switch
Can Use EAP
Network users with 802.1X support cannot access the network unless they
are authenticated. You can configure a WX switch to authenticate users
with EAP on a group of RADIUS servers and/or in a local user database on
the WX, or to offload some authentication tasks from the server group.
Table 39 details these three basic WX authentication approaches.
(For information about digital certificates, see Chapter 20, “Managing
Keys and Certificates,” on page 413.)
PEAP-MS-
CHAP-V2
(Protected EAP
with Microsoft
Challenge
Handshake
Authentication
Protocol
version 2)
The wireless client
authenticates the server
(either the WX switch or a
RADIUS server) using TLS
to set up an encrypted
session. Mutual
authentication is
performed by
MS-CHAP-V2.
Wireless and wired
authentication:
The PEAP
portion is
processed on the
WX switch.
The
MS-CHAP-V2
portion is
processed on the
RADIUS server or
locally,
depending on
the
configuration.
Only the server
side of the
connection
requires a
certificate.
The client needs
only a username
and password.
* EAP-MD5 does not work with Microsoft wired authentication clients.
Table 38
EAP Authentication Protocols for Local Processing (continued)
EAP Type
Description
Use
Considerations
Table 39
Three Basic WX Approaches to EAP Authentication
Approach
Description
Pass-through
An EAP session is established directly between the client and
RADIUS server, passing through the WX switch. User information
resides on the server. All authentication information and certificate
exchanges pass through the switch or use client certificates issued
by a certificate authority (CA). In this case, the switch does not
need a digital certificate, although the client might.
Local
The WX switch performs all authentication using information in a
local user database configured on the switch, or using a
client-supplied certificate. No RADIUS servers are required. In this
case, the switch needs a digital certificate. If you plan to use the
EAP with Transport Layer Security (EAP-TLS) authentication
protocol, the clients also need certificates.
Summary of Contents for 3CRWX120695A
Page 138: ...138 CHAPTER 6 CONFIGURING AND MANAGING IP INTERFACES AND SERVICES ...
Page 272: ...272 CHAPTER 11 CONFIGURING RF LOAD BALANCING FOR MAPS ...
Page 310: ...310 CHAPTER 13 CONFIGURING USER ENCRYPTION ...
Page 322: ...322 CHAPTER 14 CONFIGURING RF AUTO TUNING ...
Page 350: ...350 CHAPTER 16 CONFIGURING QUALITY OF SERVICE ...
Page 368: ...368 CHAPTER 17 CONFIGURING AND MANAGING SPANNING TREE PROTOCOL ...
Page 412: ...412 CHAPTER 19 CONFIGURING AND MANAGING SECURITY ACLS ...
Page 518: ...518 CHAPTER 21 CONFIGURING AAA FOR NETWORK USERS ...
Page 530: ...530 CHAPTER 22 CONFIGURING COMMUNICATION WITH RADIUS ...
Page 542: ...542 CHAPTER 23 MANAGING 802 1X ON THE WX SWITCH ...
Page 598: ...598 CHAPTER 26 ROGUE DETECTION AND COUNTERMEASURES ...
Page 706: ...706 GLOSSARY ...