Manualshelf

Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances
161162163164165166167168169170
Additional information on EAP types supported in a Windows environment for Microsoft supplicants and the
authentication server is available at http://technet.microsoft.com/en-us/library/cc782851(WS.10).aspx.
Authentication Terminated on the Mobility Access Switch
User authentication is performed either via the Mobility Access Switch’s internal database or a non-802.1x
server.
Figure 147 802.1x Authentication with Termination on the Mobility Access Switch
In this scenario, the supplicant is configured for EAP-Protected EAP (PEAP) or EAP-Transport Layer Security
(TLS).
EAP-PEAP
EAP-PEAP uses TLS to create an encrypted tunnel. Within the tunnel, one of the following inner EAP” methods
is used:
l EAP-Generic Token Card (GTC)
Described in RFC 2284, this EAP method permits the transfer of unencrypted usernames and passwords
from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and the use of
an LDAP or RADIUS server as the user authentication server.
You can also enable caching of user credentials on the Mobility Access Switch as a backup to an external
authentication server.
l EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)
Described in RFC 2759, this EAP method is widely supported by Microsoft clients. A RADIUS server must be
used as the backend authentication server.
EAP-TLS
EAP-TLS is used with smart-card user authentication. A smart card holds a digital certificate which, with the
user-entered personal identification number (PIN), allows the user to be authenticated on the network. EAP-
TLS relies on digital certificates to verify the identities of both the client and server.
EAP-TLS requires that you import server and certification authority (CA) certificates onto the Mobility Access
Switch. The client certificate is verified on the Mobility Access Switch (the client certificate must be signed by a
known CA) before the user name is checked on the authentication server.
Internal Database Configuration Task
If you are using the Mobility Access Switch’s internal database for user authentication, you need to add the
names and passwords of the users to be authenticated.
Dell Networking W-ClearPass Deployment Guide Mobility Access Switch Configuration for 802.1X Authentication | 167