68
802.1X authentication procedures
802.1X authentication has two methods: EAP relay and EAP termination. You choose either mode
depending on support of the RADIUS server for EAP packets and EAP authentication methods.
• EAP relay mode.
EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to
send authentication information to the RADIUS server, as shown in Figure 27.
Figure 27 EAP relay
In EAP relay mode, the client must use the same authentication method as the RADIUS server.
On the access device, you only need to use the dot1x authentication-method eap command
to enable EAP relay.
• EAP termination mode.
As shown in Figure 28, the access device performs the following operations in EAP termination
mode:
a. Terminates the EAP packets received from the client.
b. Encapsulates the client authentication information in standard RADIUS packets.
c. Uses PAP or CHAP to authenticate to the RADIUS server.
Figure 28 EAP termination
Comparing EAP relay and EAP termination
Benefits Limitations
EAP relay
•
authentication methods.
•
processing are simple on the
access device.
The RADIUS server must support the
EAP-
Message-
Authenticator attributes, and
the EAP authentication method used by
the client.
EAP termination
Works with any RADIUS server
that supports PAP or CHAP
authentication.
• Supports only
authentication methods:
ï‚¡ MD5-
authentication.
ï‚¡ The username and password
EAP authentication initiated by
an HPE iNode 802.1X client.
RADIUS server
Client
Device
EAP packets over LAN EAP packets over RADIUS
EAP authentication
RADIUS serverClient
Device
EAP packets over LAN RADIUS
EAP authentication PAP/CHAP authentication
To Next Page
Loading...
Need help?
General