Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

351

352

353

354

355

356

357

358

359

360

AAA Tools for Network Users

17-12 Configuring AAA for Network Users

Ways a RoamAbout Switch Can Use EAP

Networkuserswith802.1Xsupportcannotaccessthenetworkunlesstheyareauthenticated.You

canconfigureaRoamAboutswitchtoauthenticateuserswithEAPonagrou pofRADIUSservers

and/orinalocaluserdatabaseontheRoamAboutswitch,ortooffloadsomeauthenticationtasks

fromtheservergroup.Table 17

‐2detailsthesethreebasicRoamAboutswitchauthentication

approaches.

(Forinformationaboutdigitalcertificates,seeChapter 16,ManagingKeysandCertificates.)

Effects of Authentication Type on Encryption Method

Wirelessuserswhoareauthenticatedonanencryptedservicesetidentifier(SSID)canhavetheir

datatrafficen cryptedbythefollowingmethods:

•Wi‐FiProtectedAccess(WPA)encryption

•Non‐WPAdynamicWiredEquivalentPrivacy(WEP)encry ption

•Non‐WPAstaticWEPencryption

(Forencryptiondetails,seeChapter 10,ConfiguringUserEncryption.)

Theauthentication

methodyouassigntoauserdeterminestheencryptionavailabletotheuser.

UsersconfiguredforEAPauthentication,MACauthentication,Web,orlast‐resortauthentication

canhavetheirtrafficencryptedasfollows:

Table 17-2 Three Basic RoamAbout switch Approaches to EAP Authentication

Approach Description

Pass-through An EAP session is established directly between the client and RADIUS server, passing

through the RoamAbout switch. User information resides on the server. All authentication

information and certificate exchanges pass through the switch or use client certificates

issued by a certificate authority (CA). In this case, the switch does not need a digital

certificate, although the client might.

Local The RoamAbout switch performs all authentication using information in a local user

database configured on the switch, or using a client-supplied certificate. No RADIUS

servers are required. In this case, the switch needs a digital certificate. If you plan to use

the EAP with Transport Layer Security (EAP-TLS) authentication protocol, the clients also

need certificates.

Offload The RoamAbout switch offloads all EAP processing from a RADIUS server by

establishing a TLS session between the switch and the client. In this case, the switch

needs a digital certificate. When you use offload, RADIUS can still be used for non-EAP

authentication and authorization.

EAP Authentication MAC Authentication Last-Resort Authentication WebAAA

WPA encryption Static WEP Static WEP Static WEP

Dynamic WEP

encryption

No encryption

(if SSID is unencrypted)

No encryption

(if SSID is unencrypted)

No encryption

(if SSID is

unencrypted)