R2511-HP MSR Router Series Security Command Reference(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

131

132

133

134

135

136

137

138

139

140

124

Related commands

display dot1x

dot1x authentication-method

Use dot1x authentication-method to specify an EAP message handling method.

Use undo dot1x authentication-method to restore the default.

Syntax

dot1x authentication-method { chap | eap | pap }

undo dot1x authentication-method

Default

The network access device performs EAP termination and uses CHAP to communicate with the RADIUS

server.

Views

System view

Default command level

2: System level

Parameters

chap: Sets the access device to perform Extensible Authentication Protocol (EAP) termination and use the

Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.

eap: Sets the access device to relay EAP packets, and supports any of the EAP authentication methods

to communicate with the RADIUS server.

pap: Sets the access device to perform EAP termination and use the Password Authentication Protocol

(PAP) to communicate with the RADIUS server.

Usage guidelines

The network access device terminates or relays EAP packets:

1. In EAP termination mode—The access device re-encapsulates and sends the authentication data

from the client in standard RADIUS packets to the RADIUS server, and performs either CHAP or

PAP authentication with the RADIUS server. In this mode the RADIUS server supports only

MD5-Challenge EAP authentication, and "username+password" EAP authentication initiated by

an iNode client.

{ PAP transports usernames and passwords in clear text. The authentication method applies to

scenarios that do not require high security. To use PAP, the client must be an HP iNode 802.1X

client.

{ CHAP transports username in plaintext and encrypted password over the network. It is more

secure than PAP.

2. In EAP relay mode—The access device relays EAP messages between the client and the RADIUS

server. The EAP relay mode supports multiple EAP authentication methods, such as

MD5-Challenge, EAP-TL, and PEAP. To use this mode, you must make sure the RADIUS server

supports the EAP-Message and Message-Authenticator attributes and uses the same EAP

authentication method as the client. If this mode is used, the user-name-format command

configured in RADIUS scheme view does not take effect. For more information about the

user-name-format command, see "RADIUS configuration commands."