No relevant resource is found in the selected language.
Enterprise
Worldwide
Huawei Global - English
Support Documentation
WLAN AC V200R010C00 Command Reference
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
dot1x authentication-method

dot1x authentication-method

Function

The dot1x authentication-method command configures an 802.1X authentication mode.

The undo dot1x authentication-method command restores the default configuration.

The default 802.1X authentication mode is eap, which indicates Extensible Authentication Protocol (EAP) relay authentication.

Format

dot1x authentication-method { chap | pap | eap }

undo dot1x authentication-method

Parameters

Parameter

Description

Value

chap

Specifies EAP termination authentication using the Challenge Handshake Authentication Protocol (CHAP).

-

pap

Specifies EAP termination authentication using the Password Authentication Protocol (PAP).

-

eap

Specifies Extensible Authentication Protocol (EAP) relay authentication.

-

Views

802.1X access profile view

Default Level

2: Configuration level

Usage Guidelines

During 802.1X authentication, users exchange authentication information with the device using EAP packets. The device uses two modes to exchange authentication information with the RADIUS server.

  • EAP termination: The device directly parses EAP packets, encapsulates user authentication information into a RADIUS packet, and sends the packet to the RADIUS server for authentication. EAP termination is classified into PAP or CHAP authentication.

    • PAP: The device arranges the MAC address, shared key, and random value in sequence, performs hash processing on them using the MD5 algorithm, and encapsulates the hash result into the User-Password attribute.
    • CHAP: The device arranges the CHAP ID, MAC address, and random value in sequence, performs hash processing on them using the MD5 algorithm, and encapsulates the hash result into the CHAP-Password and CHAP-Challenge attributes.

  • EAP relay (specified by eap): The device encapsulates EAP packets into RADIUS packets and sends the RADIUS packets to the RADIUS server. The device does not parse the received EAP packets but encapsulates them into RADIUS packets. This mechanism is called EAP over Radius (EAPoR).

The processing capability of the RADIUS server determines whether EAP termination or EAP relay is used. If the RADIUS server has a higher processing capability and can parse a large number of EAP packets before authentication, the EAP relay mode is recommended. If the RADIUS server has a processing capability not good enough to parse a large number of EAP packets and complete authentication, the EAP termination mode is recommended and the device parses EAP packets for the RADIUS server. When the authentication packet processing method is configured, ensure that the client and server both support this method; otherwise, the users cannot pass authentication.

  • The EAP relay can be configured for 802.1X users only when RADIUS authentication is used.

  • If AAA local authentication is used, the authentication mode for 802.1X users can only be set to EAP termination.

  • Because mobile phones do not support EAP termination mode (PAP and CHAP), the 802.1X authentication + local authentication mode cannot be configured for mobile phones. Terminals such as laptop computers support EAP termination mode only after having third-party clients installed.

  • If the 802.1X client uses the MD5 encryption mode, the user authentication mode on the device can be set to EAP or CHAP; if the 802.1X client uses the PEAP authentication mode, the authentication mode on the device can be set to EAP.

  • In a wireless access scenario, if WPA or WPA2 authentication mode is configured in the security policy profile, 802.1X authentication does not support pre-authentication domain-based authorization.
  • If an interface has online 802.1X users and the authentication mode is changed between EAP termination and EAP relay in the 802.1X access profile bound to the interface, the online 802.1X users will be logged out. If the authentication mode is changed between CHAP and PAP in EAP termination mode, the online 802.1X users will not be logged out.

Example

# In the 802.1X access profile d1, configure the device to use PAP authentication for 802.1X users.

<AC6605> system-view
[AC6605] dot1x-access-profile name d1
[AC6605-dot1x-access-profile-d1] dot1x authentication-method pap
Translation
简体中文
Download
Updated: 2021-02-27

Document ID: EDOC1100064351

Views: 3200004

Downloads: 595

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next
Huawei e+ App Huawei e+

Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :