3Com OfficeConnect WX1200, Release Note

Page: 11 / 28

Points to Note when using the WX1200 and WX4400 11
access are authorized to join the same VLAN from dif-
ferent SSIDs. This configuration might allow a hacker
to more quickly discover keys by listening to both the
encrypted traffic and unencrypted traffic for compari-
sons. You can either use the MSS SSID VSA or the
encryption assignment VSA to prevent this problem.
If you only have one VLAN that each MAC-auth client
should connect to, add the SSID VSA to the account
for the MAC-address (either local or RADIUS). This
will force the WX switch to only allow that MAC
address to connect to the specified SSID.
If you require the same MAC user to be able to con-
nect to more than one SSID, you can use encryption
assignment to enforce the type of encryption a user
or group must have to access the network. When you
assign the Encryption-Type attribute to a user or
group, the encryption type or types are entered as an
authorization attribute into the user or group record
in the local WX switch database or on the RADIUS
server. Encryption-Type is an MSS VSA. Clients who
attempt to use an unauthorized encryption method
are rejected. In this way, a client could connect to any
WEP encrypted SSID, but not a clear SSID. (See the
Wireless LAN Switch and Controller Configuration
Guide
for more information.)
Security Best Practices
MSS and 3WXM provide robust options for securing
management access, to WX switches and to the
3WXM client and 3WXM monitoring service. To opti-
mize security for management access, use the follow-
ing best practices.
Certificates
When anyone attempts to access a WX switch, the
switch authenticates itself by presenting a signed cer-
tificate to the management application that is
requesting access. The switch’s certificate can come
from a certificate authority (CA) or it can be gener-
ated and signed by the switch itself. 3Com recom-
mends that you use certificates assigned by a CA.
Certificates from a trusted CA are more secure than
self-signed certificates. Here are some trusted CAs:
■
http://www.verisign.com
■
http://www.entrust.com
■
http://www.microsoft.com
Passwords
The CLI, as well as 3WXM, can be secured using pass-
words. By default, the following access types do not
have passwords configured. Each uses a separate
password.
■
Console access to the CLI. To secure console
access, configure a username and password in the
WX switch’s local database, using the
set user
command. After you configure at least one user-
name and password, access to the CLI through the
console requires a password. (Access through
Telnet or SSH is not possible without a password,
even on an unconfigured switch.)
■
Access to the enable (configuration) level of the
CLI, through the console, or through Telnet or SSH.
To secure enable access, configure the enable pass-
word using the
set enablepass command.