112
EAP authentication method as the client. If this mode is used, the
user-name-format
command
configured in RADIUS scheme view does not take effect. For more information about the
user-name-format
command, see "RADIUS configuration commands."
Local authentication supports PAP and CHAP.
If RADIUS authentication is used, you must configure the network access device to use the same
authentication method (PAP, CHAP, or EAP) as the RADIUS server.
Examples
# Enable the access device to terminate EAP packets and perform PAP authentication with the
RADIUS server.
<Sysname> system-view
[Sysname] dot1x authentication-method pap
Related commands
display dot1x
dot1x auth-fail vlan
Use
dot1x auth-fail vlan
to configure an Auth-Fail VLAN on a port for users that have failed 802.1X
authentication because of the failure to comply with the organization security strategy, such as using
a wrong password.
Use
undo dot1x auth-fail vlan
to restore the default.
Syntax
dot1x auth-fail vlan
authfail-vlan-id
undo dot1x auth-fail vlan
Default
No Auth-Fail VLAN is configured on a port.
Views
Ethernet interface view
Default command level
2: System level
Parameters
authfail-vlan-id
: Specifies the ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. Make
sure that the VLAN has been created and is not a super VLAN. For more information about super
VLANs, see
Layer 2
—
LAN Switching Configuration Guide
.
Usage guidelines
You must enable MAC-based VLAN for an Auth-Fail VLAN to take effect on a port that performs
MAC-based access control.
When you change the access control method from MAC-based to port-based on a port that carries
an Auth-Fail VLAN, the mappings between MAC addresses and the 802.1X Auth-Fail VLAN are
removed. You can use the
display mac-vlan
command to display MAC-to-VLAN mappings.
You must enable 802.1X multicast trigger function for an Auth-Fail VLAN to take effect on a port that
performs port-based access control.
When you change the access control method from port-based to MAC-based on a port that is in an
Auth-Fail VLAN, the port is removed from the Auth-Fail VLAN.
To delete a VLAN that has been configured as an Auth-Fail VLAN, you must remove the Auth-Fail
VLAN configuration first.