Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

351

352

353

354

355

356

357

358

359

360

AAA Tools for Network Users

RoamAbout Mobility System Software Configuration Guide 17-11

IEEE 802.1X Extensible Authentication Protocol Types

ExtensibleAuthenticationProtocol(EAP)isagenericpoint‐to‐pointprotocolthatsupports

multipleauthenticationmechanisms.EAPhasbeenadoptedasastandardbytheInstituteof

ElectricalandElectronicEngineers(IEEE).IEEE802.1Xisanencapsulatedformforcarrying

authenticationmessagesinastandardmessageexchangebetweenauser(client)

andan

authenticator.

Table 17‐1onpage 17‐11summarizestheEAPprotocols(alsocalledtypesormethods)supported

byMSS.

Notes:

• If one of the RADIUS servers in the group responds, and indicates that the user does not exist on

the RADIUS server, or that the user is not permitted on the network, then authentication for the

user fails, regardless of any additional methods. If all the RADIUS servers in the server group do

not respond, then the RoamAbout Switch attempts to authenticate using the next method in the

list.

Also note that if the primary authentication method is local and the secondary method is RADIUS,

and the user does not exist in the local database, then the RoamAbout Switch attempst to

authenticate using RADIUS. See “Local Override Exception” on page 17-9.

• Using pass-through authentication as the primary authentication method and the local database

as the secondary authentication method is not supported.

Table 17-1 EAP Authentication Protocols for Local Processing

EAP Type Description Use Considerations

EAP-MD5

(EAP with Message

Digest Algorithm 5)

Authentication algorithm that

uses a challenge-response

mechanism to compare hashes

Wired authentication

only

1. EAP-MD5 does not work with Microsoft wired authentication clients.

This protocol provides

no encryption or key

establishment.

EAP-TLS

(EAP with Transport

Layer Security)

Protocol that provides mutual

authentication, integrity-

protected encryption algorithm

negotiation, and key exchange.

EAP-TLS provides encryption

and data integrity checking for

the connection.

Wireless and wired

authentication.

All authentication is

processed on the

RoamAbout Switch.

This protocol requires

X.509 public key

certificates on both

sides of the

connection.

Requires use of local

database. Not

supported for

RADIUS.

PEAP-MS-CHAP-V2

(Protected EAP with

Microsoft Challenge

Handshake

Authentication

Protocol version 2)

The wireless client

authenticates the server (either

the RoamAbout Switch or a

RADIUS server) using TLS to

set up an encrypted session.

Mutual authentication is

performed by MS-CHAP-V2.

Wireless and wired

authentication:

The PEAP portion is

processed on the

RoamAbout Switch.

The MS-CHAP-V2 portion

is processed on the

RADIUS server or locally,

depending on the

configuration.

Only the server side

of the connection

requires a certificate.

The client needs only

a username and

password.