Enabling EAP relay or EAP termination
About EAP mode selection
Consider the following factors to select a proper EAP mode:
Support of the RADIUS server for EAP packets.
Authentication methods supported by the 802.1X client and the RADIUS server.
Restrictions and guidelines
If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. The access device sends the authentication data from the client to the server without any modification. For more information about the user-name-format command, see Security Command Reference.
You can use both EAP termination and EAP relay in any of the following situations:
The client is using only MD5-Challenge EAP authentication. If EAP termination is used, you must enable CHAP authentication on the access device.
The client is an iNode 802.1X client and initiates only the username and password EAP authentication. If EAP termination is used, you can enable either PAP or CHAP authentication on the access device. However, for the purpose of security, you must use CHAP authentication on the access device.
To use EAP-TLS, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "Comparing EAP relay and EAP termination" for help.
Procedure
Enter system view.
system-view
Configure EAP relay or EAP termination.
dot1x authentication-method { chap | eap | pap }
By default, the access device performs EAP termination and uses CHAP to communicate with the RADIUS server.