dot1x authentication-method
Syntax
dot1x authentication-method { chap | eap | pap }
undo dot1x authentication-method
View
System view
Default level
2: System level
Parameters
chap: Sets the access device to perform Extensible Authentication Protocol (EAP) termination and use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.
eap: Sets the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.
pap: Sets the access device to perform EAP termination and use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.
Description
Use dot1x authentication-method to specify an EAP message handling method.
Use undo dot1x authentication-method to restore the default.
By default, the network access device performs EAP termination and uses CHAP to communicate with the RADIUS server.
The network access device terminates or relays EAP packets:
In EAP termination mode, the access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server, and performs either CHAP or PAP authentication with the RADIUS server. In this mode the RADIUS server supports only MD5-Challenge EAP authentication, and "username+password" EAP authentication initiated by an iNode client.
PAP transports usernames and passwords in clear text. The authentication method applies to scenarios that do not require high security. To use PAP, the client must be an HPE iNode 802.1X client.
CHAP transports username in plaintext and encrypted password over the network. It is more secure than PAP.
In EAP relay mode, the access device relays EAP messages between the client and the RADIUS server. The EAP relay mode supports multiple EAP authentication methods, such as MD5-Challenge, EAP-TL, and PEAP. To use this mode, you must make sure that the RADIUS server supports the EAP-Message and Message-Authenticator attributes, and uses the same EAP authentication method as the client. If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "RADIUS configuration commands."
Local authentication supports PAP and CHAP.
If RADIUS authentication is used, you must configure the network access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.
Related commands: display dot1x.
Examples
# Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.
<Sysname> system-view [Sysname] dot1x authentication-method pap