dot1x authentication-method

Function

The dot1x authentication-method command configures an 802.1X authentication mode.

The undo dot1x authentication-method command restores the default configuration.

The default 802.1X authentication mode is eap, which indicates Extensible Authentication Protocol (EAP) relay authentication.

Format

dot1x authentication-method { chap | pap | eap }

undo dot1x authentication-method

Parameters

Parameter	Description	Value
chap	Specifies EAP termination authentication using the Challenge Handshake Authentication Protocol (CHAP).	-
pap	Specifies EAP termination authentication using the Password Authentication Protocol (PAP).	-
eap	Specifies Extensible Authentication Protocol (EAP) relay authentication.	-

Views

802.1X access profile view

Default Level

2: Configuration level

Usage Guidelines

During 802.1X authentication, users exchange authentication information with the device using EAP packets. The device uses two modes to exchange authentication information with the RADIUS server.

EAP termination: The device directly parses EAP packets, encapsulates user authentication information into a RADIUS packet, and sends the packet to the RADIUS server for authentication. EAP termination is classified into PAP or CHAP authentication.
- PAP is a two-way handshake authentication protocol. It transmits passwords in plain text format in RADIUS packets.
- CHAP is a three-way handshake authentication protocol. It transmits only user names but not passwords in RADIUS packets. CHAP is more secure and reliable than PAP. If higher security is required, CHAP is recommended.
EAP relay (specified by eap): The device encapsulates EAP packets into RADIUS packets and sends the RADIUS packets to the RADIUS server. The device does not parse the received EAP packets but encapsulates them into RADIUS packets. This mechanism is called EAP over Radius (EAPoR).

The processing capability of the RADIUS server determines whether EAP termination or EAP relay is used. If the RADIUS server has a higher processing capability and can parse a large number of EAP packets before authentication, the EAP relay mode is recommended. If the RADIUS server has a processing capability not good enough to parse a large number of EAP packets and complete authentication, the EAP termination mode is recommended and the device parses EAP packets for the RADIUS server. When the authentication packet processing method is configured, ensure that the client and server both support this method; otherwise, the users cannot pass authentication.

The EAP relay can be configured for 802.1X users only when RADIUS authentication is used.
If AAA local authentication is used, the authentication mode for 802.1X users can only be set to EAP termination.
Because mobile phones do not support EAP termination mode (PAP and CHAP), the 802.1X authentication + local authentication mode cannot be configured for mobile phones. Terminals such as laptop computers support EAP termination mode only after having third-party clients installed.
If the 802.1X client uses the MD5 encryption mode, the user authentication mode on the device can be set to EAP or CHAP; if the 802.1X client uses the PEAP authentication mode, the authentication mode on the device can be set to EAP.
In a wireless access scenario, if WPA or WPA2 authentication mode is configured in the security policy profile, 802.1X authentication does not support pre-authentication domain-based authorization.
If an interface has online 802.1X users and the authentication mode is changed between EAP termination and EAP relay in the 802.1X access profile bound to the interface, the online 802.1X users will be logged out. If the authentication mode is changed between CHAP and PAP in EAP termination mode, the online 802.1X users will not be logged out.

Example

# In the 802.1X access profile d1, configure the device to use PAP authentication for 802.1X users.

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x authentication-method pap