R0106-HP MSR Router Series Security Configuration Guide(V7)

• EAP relay mode:

EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to send

authentication information to the RADIUS server, as shown in Figure 28.

Figure 28 EAP relay

In EAP relay mode, the client must use the same authentication method as the RADIUS server. On

the network access device, you only need to use the dot1x authentication-method eap command

to enable EAP relay.

Some network access devices provide the EAP server function so you can use EAP relay even if the

RADIUS server does not support any EAP authentication method or no RADIUS server is available.

• EAP termination mode:

In EAP termination mode, the network access device terminates the EAP packets received from the

client, encapsulates the client authentication information in standard RADIUS packets, and uses

PAP or CHAP to authenticate to the RADIUS server, as shown in Figure 29.

Figure 29 EAP termination

Comparing EAP relay and EAP termination

Packet exchan

e method Benefits

Limitations

EAP relay

• Supports various EAP

authentication methods.

• The configuration and

processing is simple on the

network access device.

The RADIUS server must support the

EAP-Message and

Message-Authenticator attributes, and

the EAP authentication method used by

the client.

EAP termination

Works with any RADIUS server that

supports PAP or CHAP

authentication.

• Supports only MD5-Challenge EAP

authentication and the "username +

password" EAP authentication

initiated by an HP iNode 802.1X

client.

• The processing is complex on the

network access device.