1x authentication procedures, Comparing eap relay and eap termination – H3C Technologies H3C S6300 Series Switches User Manual
Page 81
66
802.1X authentication procedures
802.1X authentication has two methods: EAP relay and EAP termination. You choose either mode
depending on support of the RADIUS server for EAP packets and EAP authentication methods.
•
EAP relay mode:
EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to send
authentication information to the RADIUS server, as shown in
.
Figure 26 EAP relay
In EAP relay mode, the client must use the same authentication method as the RADIUS server. On
the network access device, you only need to use the dot1x authentication-method eap command
to enable EAP relay.
•
EAP termination mode:
In EAP termination mode, the network access device terminates the EAP packets received from the
client, encapsulates the client authentication information in standard RADIUS packets, and uses
PAP or CHAP to authenticate to the RADIUS server, as shown in
Figure 27 EAP termination
Comparing EAP relay and EAP termination
Packet exchange method Benefits
Limitations
EAP relay
•
Supports various EAP
authentication methods.
•
The configuration and
processing is simple on the
network access device.
The RADIUS server must support the
EAP-Message and
Message-Authenticator attributes, and
the EAP authentication method used by
the client.
EAP termination
Works with any RADIUS server that
supports PAP or CHAP
authentication.
•
Supports only MD5-Challenge EAP
authentication and the "username +
password" EAP authentication
initiated by an H3C iNode 802.1X
client.
•
The processing is complex on the
network access device.