3Com OfficeConnect WX1200 Release Note - page 25
Known Problems
25
CLI allows set authentication dot1x command
with invalid combination of pass-through and
local options. (15562)
The CLI allows you to enter a command such as the
following:
set authentication dot1x ssid any * pass-through
local
The pass-through and local AAA methods are mutu-
ally exclusive. Even if a server group named local
exists, MSS does not use the group. In either case, the
EAP session fails and the 802.11 session is deauthen-
ticated when the client responds to the first identity
request.
Do not name a server group local and do not attempt
to mix mutually exclusive authentication methods in
the same command.
Authentication method none is invalid for
network access rules, but is accepted by the CLI.
(18147, 18157)
AAA rules for administrative access, configured by set
authentication commands, allow you to specify
none as the authentication method, as an alternative
to a RADIUS server group or local. When used for
administrative access, the method none immediately
allows access to the WX administrator. The value
none is not a valid authentication method for net-
work access rules. However, the commands that con-
figure MAC, Web, and last-resort network access
rules accept the value. This is an invalid configuration
and can provide unexpected results. The command
for configuring 802.1X AAA rules does not allow
none to be specified.
Similarly, none is invalid for any set accounting com-
mand, but is accepted by the CLI.
Do not specify none as an authentication method
with set authentication mac, set authentication
web, or set authentication last-resort commands,
or with any set accounting command.
The authentication method none you can specify for
administrative access is different from the fallthru
authentication type none, which applies only to net-
work access. The authentication method none allows
access to the WX switch by an administrator. The
fallthru authentication type none denies access to a
network user.
A set authentication mac mac-addr-glob rule
does not restrict input. (13907)
The set authentication mac mac-addr-glob com-
mand should accept only a properly formatted MAC
address or a MAC address glob, which can use an
asterisk (*) as a prefix or suffix to the MAC address.
However, the command actually accepts any string.
Provide only properly formatted MAC addresses or
MAC address globs. For more information, see the
Wireless LAN Switch and Controller Command Refer-
ence.