Port authentication control, The authenticator pae – Allied Telesis AT-S60 User Manual

Chapter 25: 802.1x Port-Based Access Control

Section III: Security Features

408

Port Authentication Control

A physical port under 802.1x control has associated with it a logical
system known as a Port Access Entity (PAE). The PAE controls the
authentication process. The authentication processes on the
authenticator and on the supplicant are controlled by separate PAEs.
The PAE controlling a port acting as a supplicant is termed a Supplicant
PAE. The PAE controlling a port acting as an authenticator is termed an
Authenticator PAE.

Note

Ports under 802.1x control do not support trunking, STP, or
static/dynamic learning. They must also not be a member of more
than one VLAN.

The

Authenticator

PAE

The role of the Authenticator PAE is to maintain the state of the
controlled port based on the result of authentication message
exchanges with a single Supplicant PAE.

A single physical port acting as an authenticator is considered to consist
of two separate logical ports: an uncontrolled port and a controlled port,
as shown in Figure 142 on page 25-409. An uncontrolled port allows
authentication protocol data units (PDUs) to pass at any time. A
controlled port allows PDUs to pass only if the Authenticator PAE is
authorized.

The uncontrolled port is necessary to allow communication to take place
between the supplicant and the authenticator during the authentication
process. During the authentication process, the Extended
Authentication Protocol (EAP) is used for message exchange. Packets are
physically transported between an Authenticator PAE and a Supplicant
PAE using the EAP over LAN (EAPoL) encapsulation.