< Home

dot1x authentication-method

Function

The dot1x authentication-method command sets the authentication mode for 802.1X users.

The undo dot1x authentication-method command restores the default authentication mode for 802.1X users.

By default, the global 802.1X user authentication mode is CHAP authentication and the 802.1X user authentication mode on interfaces is the same as the mode globally configured.

Format

dot1x authentication-method { chap | pap | eap }

undo dot1x authentication-method

Parameters

Parameter

Description

Value

chap

Indicates the CHAP-based EAP termination authentication mode.

-

pap

Indicates the PAP-based EAP termination authentication mode.

-

eap

Indicates that the EAP relay mode.

-

Views

System view, Ethernet interface view, GE interface view, MultiGE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view

Default Level

2: Configuration level

Usage Guidelines

During 802.1X authentication, users exchange authentication information with the device using EAP packets. The device uses two modes to exchange authentication information with the RADIUS server.

  • EAP termination: The device directly parses EAP packets, encapsulates user authentication information into a RADIUS packet, and sends the RADIUS packet to the RADIUS server for authentication. In EAP termination authentication mode, the device and RADIUS server exchange information using PAP or CHAP.

    • PAP is a two-way handshake authentication protocol. It transmits passwords in plain text format in RADIUS packets. It is not recommended because of the low security.
    • CHAP is a three-way handshake authentication protocol. It transmits only user names not passwords in RADIUS packets. CHAP is more secure and reliable than PAP. If high security is required, CHAP is recommended.

    After the device directly parses EAP packets, user information in the EAP packets is authenticated by a local AAA module, or sent to the RADIUS or HWTACACS server for authentication.

  • EAP relay (specified by eap): The device encapsulates EAP packets into RADIUS packets and sends the RADIUS packets to the RADIUS server, but does not parse the received EAP packets that include user authentication information. This mechanism is called EAP over Radius (EAPOR).

The EAP relay mechanism requires that the RADIUS server be capable of parsing a lot of EAP packets and carrying out authentication; therefore, if the RADIUS server has high processing capabilities, the EAP relay is used. If the RADIUS server is incapable of parsing a lot of EAP packets and carrying out authentication, EAP termination is recommended, and the device helps the RADIUS server to parse EAP packets.

  • The authentication mode can be set to EAP relay for 802.1X authentication users only when the RADIUS authentication is used.

  • If the 802.1X client uses the MD5 encryption mode, the user authentication mode on the device can be set to EAP or CHAP; if the 802.1X client uses the PEAP authentication mode, the authentication mode on the device can be set to EAP.

Example

# Set the authentication mode to EAP for 802.1X users in the device in the system view.

<HUAWEI> system-view
[HUAWEI] dot1x authentication-method eap

# Set the authentication mode to EAP for 802.1X users on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dot1x authentication-method eap
Parent Topic: NAC Configuration Commands (Common Mode)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >