322
C
8: C
HAPTER
ONFIGURING
A
, A
UTHENTICATION
UTHORIZATION
For EAP with Transport Layer Security (EAP-TLS) clients, the format is
username@domain_name. For example, sydney@example.com specifies
the user sydney in the domain name example.com. The
*@marketing.example.com glob specifies all users in the marketing
department at example.com. The user glob
sydney@engineering.example.com specifies the user sydney in the
engineering department at example.com.
4 Click Next.
5 Select the EAP type from the EAP Type drop-down list:
EAP-MD5—Extensible Authentication Protocol (EAP) with
message-digest algorithm 5. Select this protocol for wired
authentication clients.
Uses challenge-response to compare hashes.
Provides no encryption or integrity checking for the connection.
The EAP-MD5 option does not work with Microsoft wired authentication
clients.
PEAP—Protected EAP with Microsoft Challenge Handshake
Authentication Protocol Version 2 (MS-CHAP-V2). Select this protocol
for wireless clients.
Uses TLS for encryption and data integrity checking.
Provides MS-CHAP-V2 mutual authentication.
Only the server side of the connection needs a certificate.
Local EAP-TLS—EAP with TLS.
Provides mutual authentication, integrity-protected negotiation,
and key exchange.
Requires X.509 public key certificates on both sides of the
connection.
Provides encryption and integrity checking for the connection.
Cannot be used with RADIUS server authentication (requires user
information to be in the local database of the switch)
Pass-Through—No protocol is used by the WX. 3Com Mobility
System Software (MSS) sends the EAP processing to a RADIUS server.
If you select PEAP, the EAP Sub-Protocol is MS-CHAPV2. For other
protocols, there is no the EAP Sub-Protocol to select.
6 Click Next.
,
A
P
AND
CCOUNTING
ARAMETERS