Filter
Top Products
4 WIRELESS LAN SWITCH AND CONTROLLER MSS VERSION 6.0.4.6 RELEASE NOTES
Client and AAA Best Practices
Follow these best-practice recommendations during
configuration and implementation to avoid or solve
issues you might experience.
Get Clients and AAA Working First
The greatest majority of installation issues are related
to clients and AAA server (authentication, authoriza-
tion, and accounting) operation. 3Com recommends
first establishing a baseline of proper operation with a
sampling of wireless clients and the AAA server you
plan to use. Working out client and AAA configura-
tion methods first provides valuable information as
you scale the deployment.
The selection of client and AAA server software will
depend heavily on the requirements of your deploy-
ment. First, decide which EAP Protocol you will be using
as that will restrict the available clients and servers. Each
protocol has different advantages and disadvantages,
which you will need to consider in your deployment. For
most enterprise deployments, 3Com recommends using
PEAP-MS-CHAP-V2 as the 802.1X protocol. The follow-
ing table compares the EAP protocols.
Although LEAP uses the same ethertype as 802.1X
(0x888e), the LEAP protocol is proprietary and does
not conform to the IEEE 802.1X standard. Addition-
ally, the LEAP protocol has serious security flaws. For
example, LEAP-authenticated networks can be
breached using a simple dictionary attack.
When testing and evaluating MSS, enterprises using
primarily Microsoft platforms are recommended to use
Windows XP clients running PEAP-MS-CHAP-V2 with a
Windows 2000 or 2003 server running Internet
Authentication Service (IAS) as the RADIUS back end.
This provides a test environment that is quick to set up
and does not require additional third-party software.
Protocol Advantages Disadvantages
PEAP-MS-CHAP-V2
■ Does not require
client certificates
■ Compatible with
MSS EAP offload
■ Native support in
Microsoft Windows
XP and 2000
■ Broad support in
802.1X clients
■ Username/pass-
word-based access
might not be as
strong as certifi-
cate-based access
EAP-TTLS
■ Does not require
client certificates
■ Broadest compatibil-
ity with user directo-
ries
■ Requires third-party
802.1X client software
■ Username/pass-
word-based access
might not be as
strong as certifi-
cate-based access
EAP-TLS
■ Strongest authenti-
cation using X.509
certificates.
■ Native support in
Windows XP and
2000
■ Broad support in all
802.1X clients
■ Client-side certifi-
cates require full PKI
infrastructure and
management over-
head
PEAP-TLS
■ Strongest authenti-
cation using X.509
certificates.
■ Native support in Win-
dows XP and 2000
■ Broad support in all
802.1X clients
■ Client-side certifi-
cates require full PKI
infrastructure and
management over-
head
■ Minimal advantage
over EAP-TLS
Protocol Advantages Disadvantages