R2511-HP MSR Router Series Security Command Reference(V5)
125
Local authentication supports PAP and CHAP.
If RADIUS authentication is used, you must configure the network access device to use the same
authentication method (PAP, CHAP, or EAP) as the RADIUS server.
Examples
# Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS
server.
<Sysname> system-view
[Sysname] dot1x authentication-method pap
Related commands
display dot1x
dot1x auth-fail vlan
Use dot1x auth-fail vlan to configure an Auth-Fail VLAN on a port for users that have failed 802.1X
authentication because of the failure to comply with the organization security strategy, such as using a
wrong password.
Use undo dot1x auth-fail vlan to restore the default.
Syntax
dot1x auth-fail vlan authfail-vlan-id
undo dot1x auth-fail vlan
Default
No Auth-Fail VLAN is configured on a port.
Views
Ethernet interface view
Default command level
2: System level
Parameters
authfail-vlan-id: Specifies the ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. Make sure
the VLAN has been created and is not a super VLAN. For more information about super VLANs, see
Layer 2—LAN Switching Configuration Guide.
Usage guidelines
You must enable 802.1X multicast trigger function for an Auth-Fail VLAN to take effect on a port that
performs port-based access control.
When you change the access control method from port-based to MAC-based on a port that is in an
Auth-Fail VLAN, the port is removed from the Auth-Fail VLAN. The device does not support Auth-Fail
VLAN on a port that implements MAC-based access control.
To delete a VLAN that has been configured as an Auth-Fail VLAN, you must remove the Auth-Fail VLAN
configuration first.
You can configure both an Auth-Fail VLAN and a guest VLAN for a port.
Examples
# Configure VLAN 3 as the Auth-Fail VLAN for port Ethernet 1/1.