802.1X authentication procedures

802.1X authentication has two approaches: EAP relay and EAP termination. You choose either mode depending on the support of the RADIUS server for EAP packets and EAP authentication methods.

• EAP relay mode

EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPoR packets to send authentication information to the RADIUS server, as shown in Figure 24.

In EAP relay mode, the client must use the same authentication method as the RADIUS server. On the network access device, you only need to execute the dot1x authentication-method eap command to enable EAP relay.

• EAP termination mode

  In EAP termination mode, the network access device terminates the EAP packets received from the client, encapsulates the client authentication information in standard RADIUS packets, and uses (Password Authentication Protocol) PAP or (Password Authentication Protocol) CHAP to authenticate to the RADIUS server, as shown in Figure 25.