111
[Sysname] interface gigabitethernet 3/0/7
[Sysname-GigabitEthernet3/0/7] dot1x
# Enable 802.1X globally.
<Sysname> system-view
[Sysname] dot1x
Related commands
display dot1x
dot1x authentication-method
Use
dot1x authentication-method
to specify an EAP message handling method.
Use
undo dot1x authentication-method
to restore the default.
Syntax
dot1x authentication-method
{
chap
|
eap
|
pap
}
undo dot1x authentication-method
Default
The network access device performs EAP termination and uses CHAP to communicate with the
RADIUS server.
Views
System view
Default command level
2: System level
Parameters
chap
: Sets the access device to perform Extensible Authentication Protocol (EAP) termination and
use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS
server.
eap
: Sets the access device to relay EAP packets, and supports any of the EAP authentication
methods to communicate with the RADIUS server.
pap
: Sets the access device to perform EAP termination and use the Password Authentication
Protocol (PAP) to communicate with the RADIUS server.
Usage guidelines
The network access device terminates or relays EAP packets:
•
In EAP termination mode
—The access device re-encapsulates and sends the authentication
data from the client in standard RADIUS packets to the RADIUS server, and performs either
CHAP or PAP authentication with the RADIUS server. In this mode the RADIUS server supports
only MD5-Challenge EAP authentication, and "upassword" EAP authentication
initiated by an iNode client.
{
PAP transports usernames and passwords in clear text. The authentication method applies
to scenarios that do not require high security. To use PAP, the client must be an iNode
802.1X client.
{
CHAP transports username in plaintext and encrypted password over the network. It is
more secure than PAP.
•
In EAP relay mode
—The access device relays EAP messages between the client and the
RADIUS server. The EAP relay mode supports multiple EAP authentication methods, such as
MD5-Challenge, EAP-TL, and PEAP. To use this mode, you must make sure that the RADIUS
server supports the EAP-Message and Message-Authenticator attributes and uses the same