User`s manual

ManualsBrandsD-Link ManualsComputer equipmentDWL-8220AP - AirPremier Wireless Switch Dualband Access Point

281

282

283

284

285

286

287

288

289

290

279

DWS-1008 User’s Manual

D-Link Systems, Inc.

Conguring AAA for Network Users

PEAP-MS-CHAP-V2

(Protected EAP

with Microsoft

Challenge Handshake

Authentication Protocol

version 2)

The wireless client

authenticates the

server (either the

switch or a RADIUS

server) using TLS to

set up an encrypted

session. Mutual

authentication is

performed by

MS-CHAP-V2.

Wireless and wired

authentication:

• The PEAP portion

is processed on the

switch.

• The MS-CHAP-V2

portion is processed

on the RADIUS

server or locally,

depending on the

conguration.

Only the server

side of the

connection

requires a

certicate.

The client needs

only a username

and password.

Ways a DWS-1008 Switch Can Use EAP

Network users with 802.1X support cannot access the network unless they are authenticated.

You can congure a switch to authenticate users with EAP on a group of RADIUS servers

and/or in a local user database on the switch, or to ofoad some authentication tasks from

the server group. Three Basic Approaches to EAP Authentication details these three basic

authentication approaches.

Three Basic Approaches to EAP Authentication

Approach Description

Pass-through An EAP session is established directly between the client and

RADIUS server, passing through the switch. User information

resides on the server. All authentication information and

certicate exchanges pass through the switch or use client

certicates issued by a certicate authority (CA). In this case,

the switch does not need a digital certicate, although the

client might.

Local The switch performs all authentication using information in

a local user database congured on the switch, or using a

client-supplied certicate. No RADIUS servers are required.

In this case, the switch needs a digital certicate. If you plan

to use the EAP with Transport Layer Security (EAP-TLS)

authentication protocol, the clients also need certicates.

Ofoad The switch ofoads all EAP processing from a RADIUS server

by establishing a TLS session between the switch and the

client. In this case, the switch needs a digital certicate. If you

plan to use the EAP-TLS authentication protocol, the clients

also need certicates. When you use ofoad, RADIUS can still

be used for non-EAP authentication and authorization.