1-6
z After a PAFV takes effect, if you change the port access method from portbased to macbased,
the port will leave the Auth-Fail VLAN.
z It is not allowed to delete a VLAN that is configured as an Auth-Fail VLAN directly. To delete such a
VLAN, you need to remove the Auth-Fail VLAN configuration first by using the undo dot1x
auth-fail vlan command.
z You can configure both an Auth-Fail VLAN and a guest VLAN for a port, but they cannot both take
effect at a time.
Related commands: dot1x, dot1x port-method.
Examples
# Configure VLAN 3 as the Auth-Fail VLAN on port GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x auth-fail vlan 3
dot1x authentication-method
Syntax
dot1x authentication-method { chap | eap | pap }
undo dot1x authentication-method
View
System view
Default Level
2: System level
Parameters
chap: Authenticates clients using CHAP.
eap: Authenticates clients using EAP.
pap: Authenticates clients using PAP.
Description
Use the dot1x authentication-method command to set the 802.1X authentication method.
Use the undo dot1x authentication-method command to restore the default.
By default, CHAP is used.
z The Password Authentication Protocol (PAP) transports passwords in clear text.
z The Challenge Handshake Authentication Protocol (CHAP) transports only usernames over the
network. Compared with PAP, CHAP provides better security.
z With EAP relay authentication, the device encapsulates 802.1X user information in the EAP
attributes of RADIUS packets and sends the packets to the RADIUS server for authentication; it
does not need to repackage the EAP packets into standard RADIUS packets for authentication. In
this case, you can configure the user-name-format command but it does not take effect. For
information about the user-name-format command, refer to AAA Commands.
Note that:
To Next Page
Loading...
Need help?
General