279
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring AAA for Network Users
PEAP-MS-CHAP-V2
(Protected EAP
with Microsoft
Challenge Handshake
Authentication Protocol
version 2)
The wireless client
authenticates the
server (either the
switch or a RADIUS
server) using TLS to
set up an encrypted
session. Mutual
authentication is
performed by
MS-CHAP-V2.
Wireless and wired
authentication:
• The PEAP portion
is processed on the
switch.
• The MS-CHAP-V2
portion is processed
on the RADIUS
server or locally,
depending on the
configuration.
Only the server
side of the
connection
requires a
certificate.
The client needs
only a username
and password.
Ways a DWS-1008 Switch Can Use EAP
Network users with 802.1X support cannot access the network unless they are authenticated.
You can configure a switch to authenticate users with EAP on a group of RADIUS servers
and/or in a local user database on the switch, or to offload some authentication tasks from
the server group. Three Basic Approaches to EAP Authentication details these three basic
authentication approaches.
Three Basic Approaches to EAP Authentication
Approach
Description
Pass-through
An EAP session is established directly between the client and
RADIUS server, passing through the switch. User information
resides on the server. All authentication information and
certificate exchanges pass through the switch or use client
certificates issued by a certificate authority (CA). In this case,
the switch does not need a digital certificate, although the
client might.
Local
The switch performs all authentication using information in
a local user database configured on the switch, or using a
client-supplied certificate. No RADIUS servers are required.
In this case, the switch needs a digital certificate. If you plan
to use the EAP with Transport Layer Security (EAP-TLS)
authentication protocol, the clients also need certificates.
Offload
The switch offloads all EAP processing from a RADIUS server
by establishing a TLS session between the switch and the
client. In this case, the switch needs a digital certificate. If you
plan to use the EAP-TLS authentication protocol, the clients
also need certificates. When you use offload, RADIUS can still
be used for non-EAP authentication and authorization.