R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

101

102

103

104

105

106

107

108

109

110

Ste

Command

Remarks

3. Enable 802.1X on a port in

system view or Ethernet

interface view.

• In system view:

dot1x interface interface-list

• In Ethernet interface view:

a. interface interface-type

interface-number

b. dot1x

By default, 802.1X is disabled

on a port.

Enabling EAP relay or EAP termination

When configuring EAP relay or EAP termination, consider the following factors:

• The support of the RADIUS server for EAP packets

• The authentication methods supported by the 802.1X client and the RADIUS server

If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP

authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay.

To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make

your decision, see "A comparison of EAP relay and EAP termination" f

or help.

For more information about EAP relay and EAP termination, see "802.1X authentication procedures."

To configure EAP relay or EAP termination:

Ste

Command Remarks

1. Enter system

view.

system-view N/A

2. Configure EAP

relay or EAP

termination.

dot1x authentication-method

{ chap | eap | pap }

By default, the network access device performs EAP

termination and uses CHAP to communicate with the

RADIUS server.

Specify the eap keyword to enable EAP termination.

Specify the chap or pap keyword to enable

CHAP-enabled or PAP-enabled EAP relay.

NOTE:

If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view does no

take effect. The access device sends the authentication data from the client to the server without any

modification.

Setting the port authorization state

The port authorization state determines whether the client is granted access to the network. You can

control the authorization state of a port by using the dot1x port-control command and the following

keywords:

• authorized-force—Places the port in the authorized state, enabling users on the port to access the

network without authentication.

• unauthorized-force—Places the port in the unauthorized state, denying any access requests from

users on the port.