3Com WX4400 Reference Manual page 250

250 C 7: C
HAPTER ONFIGURING
W P
IRELESS ARAMETERS
PEAP Offload—Protected EAP with Microsoft Challenge Handshake
Authentication Protocol Version 2 (MS-CHAP-V2). Select this protocol
for wireless clients.
Uses TLS for encryption and data integrity checking.
Provides MS-CHAP-V2 mutual authentication.
Only the server side of the connection needs a certificate.
Local EAP-TLS—EAP with TLS.
Provides mutual authentication, integrity-protected negotiation,
and key exchange.
Requires X.509 public key certificates on both sides of the
connection.
Provides encryption and integrity checking for the connection.
Cannot be used with RADIUS server authentication (requires user
information to be in the local database of the switch)
External RADIUS Server—No protocol is used by the WX. The
switch sends the authentication traffic to a RADIUS server for EAP
processing.
If you select PEAP, the EAP Sub-Protocol is MS-CHAPV2. For other
protocols, the EAP Sub-Protocol is None.
Other access types do not use EAP.
AAA Methods (RADIUS Server Groups and the Local User
Database) In addition to user globs or MAC address globs, access rules
specify AAA methods, which can be one or both of the following:
RADIUS server group—Named set of RADIUS servers.
LOCAL—Local user database of a switch.
You can select both a server group and LOCAL. The switch tries the
methods in the order they appear in the list, starting with the one at
the top.
If you specify a RADIUS server group as the first method and a user is
denied access by the RADIUS server, no authentication and authorization
are attempted with the other methods specified in the list.
If you specify LOCAL as the first method and a user is not in the local user
database on the WX, authentication and authorization are attempted
with a RADIUS server group if one is defined in the method list.