Specifications
8-32 AAA Commands
protocol Protocolusedforauthentication.Specifyoneofthefollowing:
• eap‐md5—ExtensibleAuthenticationProtocol(EAP)withmessage‐digest
algorithm 5.Forwiredauthenticationclients:
–Useschallenge‐responsetocomparehashes
–Providesnoencryptionorintegritycheckingfortheconnection
Note: The eap-md5 option does not work with Microsoft wired authentication clients.
• eap‐tls—EAPwithTransportLayerSecurity(TLS):
–Providesmutualauthentication,integrity‐protectednegotiation,and
keyexchange
–RequiresX.509publickeycertificatesonbothsidesoftheconnection
–Providesencryptionandintegritycheckingfortheconnection
– CannotbeusedwithRADIUSserverauthentication(requiresuser
informationtobeintheswitch’slocal
database)
• peap‐mschapv2—ProtectedEAP(PEAP)withMicrosoftChallenge
HandshakeAuthenticationProtocolversion 2(MS‐CHAP‐V2).For
wirelessclients:
–UsesTLSforencryptionanddataintegritycheckingandserver‐side
authentication
–ProvidesMS‐CHAP‐V2mutualauthentication
–Onlytheserversideoftheconnectionneedsacertificate.
ThewirelessclientauthenticatesusingTLS
tosetupanencrypted
session.ThenMS‐CHAP‐V2performsmutualauthenticationusingthe
specifiedAAAmethod.
• pass‐through—MSSsendsalltheEAPprotocolprocessingtoaRADIUS
server.
method1
method2
method3
method4
AtleastoneanduptofourmethodsthatMSSusestohandleauthenti cat ion.
Specifyoneormore
ofthefollowingmethodsinpriorityorder.MSSapplies
multiplemethodsintheorderyouenterthem.
Amethodcanbeoneofthefollowing:
• local—UsesthelocaldatabaseofusernamesandusergroupsontheRAS
forauthentication.
• server‐group‐name—UsesthedefinedgroupofRADIUSserversfor
authentication.
YoucanenteruptofournamesofexistingRADIUSserver
groupsasmethods.
RADIUSserverscannotbeusedwiththeEAP‐TLSprotocol.
Formoreinformation,see“Usage.”