3com 6.0.4.6 Manuel D’Utilisation
4
W
IRELESS
LAN S
WITCH
AND
C
ONTROLLER
MSS V
ERSION
6.0.4.6 R
ELEASE
N
OTES
Client and AAA Best Practices
Follow these best-practice recommendations during
configuration and implementation to avoid or solve
issues you might experience.
configuration and implementation to avoid or solve
issues you might experience.
Get Clients and AAA Working First
The greatest majority of installation issues are related
to clients and AAA server (authentication, authoriza-
tion, and accounting) operation. 3Com recommends
first establishing a baseline of proper operation with a
sampling of wireless clients and the AAA server you
plan to use. Working out client and AAA configura-
tion methods first provides valuable information as
you scale the deployment.
to clients and AAA server (authentication, authoriza-
tion, and accounting) operation. 3Com recommends
first establishing a baseline of proper operation with a
sampling of wireless clients and the AAA server you
plan to use. Working out client and AAA configura-
tion methods first provides valuable information as
you scale the deployment.
The selection of client and AAA server software will
depend heavily on the requirements of your deploy-
ment. First, decide which EAP Protocol you will be using
as that will restrict the available clients and servers. Each
protocol has different advantages and disadvantages,
which you will need to consider in your deployment. For
most enterprise deployments, 3Com recommends using
PEAP-MS-CHAP-V2 as the 802.1X protocol. The follow-
ing table compares the EAP protocols.
depend heavily on the requirements of your deploy-
ment. First, decide which EAP Protocol you will be using
as that will restrict the available clients and servers. Each
protocol has different advantages and disadvantages,
which you will need to consider in your deployment. For
most enterprise deployments, 3Com recommends using
PEAP-MS-CHAP-V2 as the 802.1X protocol. The follow-
ing table compares the EAP protocols.
Although LEAP uses the same ethertype as 802.1X
(0x888e), the LEAP protocol is proprietary and does
not conform to the IEEE 802.1X standard. Addition-
ally, the LEAP protocol has serious security flaws. For
example, LEAP-authenticated networks can be
breached using a simple dictionary attack.
(0x888e), the LEAP protocol is proprietary and does
not conform to the IEEE 802.1X standard. Addition-
ally, the LEAP protocol has serious security flaws. For
example, LEAP-authenticated networks can be
breached using a simple dictionary attack.
When testing and evaluating MSS, enterprises using
primarily Microsoft platforms are recommended to use
Windows XP clients running PEAP-MS-CHAP-V2 with a
Windows 2000 or 2003 server running Internet
Authentication Service (IAS) as the RADIUS back end.
This provides a test environment that is quick to set up
and does not require additional third-party software.
primarily Microsoft platforms are recommended to use
Windows XP clients running PEAP-MS-CHAP-V2 with a
Windows 2000 or 2003 server running Internet
Authentication Service (IAS) as the RADIUS back end.
This provides a test environment that is quick to set up
and does not require additional third-party software.
Protocol
Advantages
Disadvantages
PEAP-MS-CHAP-V2
■
Does not require
client certificates
client certificates
■
Compatible with
MSS EAP offload
MSS EAP offload
■
Native support in
Microsoft Windows
XP and 2000
Microsoft Windows
XP and 2000
■
Broad support in
802.1X clients
802.1X clients
■
Username/pass-
word-based access
might not be as
strong as certifi-
cate-based access
word-based access
might not be as
strong as certifi-
cate-based access
EAP-TTLS
■
Does not require
client certificates
client certificates
■
Broadest compatibil-
ity with user directo-
ries
ity with user directo-
ries
■
Requires third-party
802.1X client software
802.1X client software
■
Username/pass-
word-based access
might not be as
strong as certifi-
cate-based access
word-based access
might not be as
strong as certifi-
cate-based access
EAP-TLS
■
Strongest authenti-
cation using X.509
certificates.
cation using X.509
certificates.
■
Native support in
Windows XP and
2000
Windows XP and
2000
■
Broad support in all
802.1X clients
802.1X clients
■
Client-side certifi-
cates require full PKI
infrastructure and
management over-
head
cates require full PKI
infrastructure and
management over-
head
PEAP-TLS
■
Strongest authenti-
cation using X.509
certificates.
cation using X.509
certificates.
■
Native support in Win-
dows XP and 2000
dows XP and 2000
■
Broad support in all
802.1X clients
802.1X clients
■
Client-side certifi-
cates require full PKI
infrastructure and
management over-
head
cates require full PKI
infrastructure and
management over-
head
■
Minimal advantage
over EAP-TLS
over EAP-TLS
Protocol
Advantages
Disadvantages