14 WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES
If you require the same MAC user to be able to con-
nect to more than one SSID, you can use encryption
assignment to enforce the type of encryption a user
or group must have to access the network. When you
assign the Encryption-Type attribute to a user or
group, the encryption type or types are entered as an
authorization attribute into the user or group record
in the local WX switch database or on the RADIUS
server. Encryption-Type is an MSS VSA. Clients who
attempt to use an unauthorized encryption method
are rejected. In this way, a client could connect to any
WEP encrypted SSID, but not a clear SSID. (See the
Wireless LAN Switch and Controller Configuration
Guide for more information.)
Security Best Practices
MSS and 3WXM provide robust options for securing
management access, to WX switches and to the
3WXM client and 3WXM monitoring service. To opti-
mize security for management access, use the follow-
ing best practices.
Certificates
When anyone attempts to access a WX switch, the
switch authenticates itself by presenting a signed cer-
tificate to the management application that is
requesting access. The switch’s certificate can come
from a certificate authority (CA) or it can be gener-
ated and signed by the switch itself.
3Com recommends that you use certificates assigned
by a CA. Certificates from a trusted CA are more
secure than self-signed certificates. Here are some
trusted CAs:
http://www.verisign.com
http://www.entrust.com
http://www.microsoft.com
If you use a self-signed certificate, configure the cli-
ents to not validate server certificates. If a client is
configured to validate server certificates, the client
will not be able to validate a self-signed certificate
from the WX switch.
Usernames
3Com recommends that you do not create usernames
that have the same spelling but use different case. For
example, do not create both username dang and
username DANG.
Passwords
The CLI, as well as 3WXM, can be secured using pass-
words. By default, the following access types do not have
passwords configured. Each uses a separate password.
■ Console access to the CLI. To secure console
access, configure a username and password in the
WX switch’s local database, using the set user
command. After you configure at least one user-
name and password and an access rule to permit
them, access to the CLI through the console
requires a password. (Access through Telnet or SSH
is not possible without a password, even on an
unconfigured switch.)
■ Access to the enable (configuration) level of the
CLI, through the console, or through Telnet or SSH.
To secure enable access, configure the enable
password using the set enablepass command.