Filter
Top Products
Points to Note When Using the WXR100, WX1200, WX4400, or WX2200 13
■ Windows 2000 with Service Pack 4
■ Cisco ACS 3.2 or later is required to support
PEAP-MS-CHAP-V2
WPA
WPA compatibility testing was conducted with a vari-
ety of NICs. See “Wireless NICs” for complete details
of the results. If you choose to use WPA to secure
your wireless network, please note the following:
■ CCMP (AES 802.11i draft support) is supported only
when it is the only encryption type enabled on that
SSID. Enabling TKIP or Dynamic WEP on the same
SSID with CCMP can cause serious connectivity
issues as most clients do not properly support this
configuration. 3Com recommends that you create a
separate service profile and SSID for WPA/CCMP.
■ Enabling TKIP and Dynamic WEP on the same SSID
is not recommended. This configuration forces the
group key (multicast/broadcast key) to use the
lowest common encryption type, in this case
Dynamic WEP. Additionally, compatibility with
wireless NICs is reduced.
■ Downloading the latest drivers for your wireless
NIC is strongly recommended. See “802.1X Cli-
ents” for specific information on installing drivers
for your operating system.
■ When a session key is changed, Microsoft WPA cli-
ents can sometimes incorrectly start using the new
key before the end of the four-way handshake that
is used to establish the key information. This issue
can occur when the session timeout for the client
session expires. As a result, the MAP rejects the cli-
ent’s re-association attempt because the key infor-
mation presented by the client is invalid.
If you experience this issue, clear the Session-Time-
out attribute on the affected users.
The WX switch will not force a reauthentication of
WPA/TKIP and WPA/CCMP users periodically like it
does with dynamic WEP users.
■ Do not use the set service-profile
shared-key-auth command in a WPA configura-
tion. This command does not enable PSK authenti-
cation for WPA. To enable PSK for WPA, use the
set service-profile auth-psk command.
■ Use one WPA authentication method per SSID,
either 802.1X authentication or preshared key
(PSK) authentication, but not both.
Security — Best Practice When Mixing Encrypted
Access and Clear Access
It is possible to configure a RADIUS server or a WX
switch’s local authentication database so that a user
with encrypted access and a user with unencrypted
access are authorized to join the same VLAN from dif-
ferent SSIDs. This configuration might allow a hacker
to more quickly discover keys by listening to both the
encrypted traffic and unencrypted traffic for compari-
sons. You can either use the MSS SSID VSA or the
encryption assignment VSA to prevent this problem.
If you only have one VLAN that each MAC-auth client
should connect to, add the SSID VSA to the account
for the MAC-address (either local or RADIUS). This
will force the WX switch to only allow that MAC
address to connect to the specified SSID.