Specifying the port authorization mode – H3C Technologies H3C S7500E Series Switches User Manual

5-14

To do…

Use the command…

Remarks

dot1x

Specifying the Authentication Method of 802.1X Users

The device supports two authentication methods: EAP relay and EAP termination.

z

In EAP relay mode, the device encapsulates the EAP packets in the EAP over RADIUS

(EAPOR) packets, and then relays the packets to the RADIUS server.

z

In EAP termination mode, the device terminates the EAP packets locally, converts the

packets to the RADIUS packets either with the PAP or CHAP attribute, and then transfers

them to the RADIUS server.

Follow these steps to specify the authentication method for 802.1x users:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Specify the authentication

method

dot1x authentication-method

{ chap | eap | pap }

Optional

CHAP by default

In EAP relay authentication mode, the device encapsulates the 802.1X user information in the

EAP attributes of RADIUS packets and sends the packets to the RADIUS server for

authentication. In this case, you can configure the user-name-format command but it does not

take effect. For information about the user-name-format command, see RADIUS Configuration

Commands in the Security Command Reference.

Specifying the Port Authorization Mode

You can set the authorization mode of a specified port to control the port authorization status.

The authorization modes include:

z

authorized-force: Places the port in the authorized state, allowing users on the port to

access the network without authentication.

z

unauthorized-force: Places the port in the unauthorized state, denying any access

requests from users on the port.

z

auto: Places the port in the unauthorized state initially to allow only EAPOL packets to

pass, and turns the port into the authorized state to allow access to the network after the

users pass authentication. This is the most common choice.