82
EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPoR packets to
send authentication information to the RADIUS server, as shown in Figure 39.
Figure 39
EAP relay
In EAP relay mode, the client must use the same authentication method as the RADIUS server.
On the network access device, you only need to use the dot1x authentication-method eap
command to enable EAP relay.
• EAP termination mode:
In EAP termination mode, the network access device terminates the EAP packets received
from the client, encapsulates the client authentication information in standard RADIUS packets,
and uses (Password Authentication Protocol) PAP or (Password Authentication Protocol)
CHAP to authenticate to the RADIUS server, as shown in Figure 40.
Figure 40
EAP termination
Comparing EAP relay and EAP termination
Packet exchange
method
Benefits Limitations
EAP relay
• Supports various EAP
authentication methods.
• The configuration and
processing is simple on the
network access device.
The RADIUS server must support
the EAP-Message and
Message-Authenticator attributes,
and the EAP authentication
method used by the client.
EAP termination
Works with any RADIUS server that
supports PAP or CHAP
authentication.
• Supports only MD5-Challenge
EAP authentication and the
"username + password" EAP
authentication initiated by an
HPE iNode 802.1X client.
• The processing is complex on
the network access device.
EAP relay
Figure 41 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that
EAP-MD5 is used.
To Next Page
Loading...
Need help?
General
