beautypg.com

Architecture of 802.1x, Authentication modes of 802.1x, Basic concepts of 802.1x – H3C Technologies H3C S7500E Series Switches User Manual

Page 92: Controlled port and uncontrolled port

background image

5-2

Architecture of 802.1X

802.1X operates in the typical client/server model and defines three entities: Client, Device,

and Server, as shown in

Figure 5-1

.

Figure 5-1 Architecture of 802.1X

z

Client is an entity seeking access to the LAN. It resides at one end of a LAN segment and is

authenticated by Device at the other end of the LAN segment. Client is usually a user-end

device such as a PC. 802.1X authentication is triggered when an 802.1X-capable client

program is launched on Client. The client program must support Extensible Authentication

Protocol over LAN (EAPOL).

z

Device, residing at the other end of the LAN segment, is the entity that authenticates

connected clients. Device is usually an 802.1X-enabled network device and provides

access ports for clients to the LAN.

z

Server is the entity that provides authentication services to Device. Server, normally a

RADIUS (Remote Authentication Dial-in User Service) server, serves to perform

authentication, authorization, and accounting services for users.

Authentication Modes of 802.1X

The 802.1X authentication system employs the Extensible Authentication Protocol (EAP) to

exchange authentication information between the client, device, and authentication server.

z

Between the client and the device, EAP protocol packets are encapsulated using EAPOL to

be transferred on the LAN.

z

Between the device and the RADIUS server, EAP protocol packets can be exchanged in

two modes: EAP relay and EAP termination. In EAP relay mode, EAP packets are

encapsulated in the EAP over RADIUS (EAPOR) packets on the device, which then can

relay the packets to the RADIUS server. In EAP termination mode, EAP packets are

terminated at the device, converted to the RADIUS packets either with the Password

Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP)

attribute, and then transferred to the RADIUS server.

Basic Concepts of 802.1X

These basic concepts are involved in 802.1X: controlled port/uncontrolled port, authorized

state/unauthorized state, and control direction.

Controlled port and uncontrolled port

A device provides ports for clients to access the LAN. Each port can be regarded as a unity of

two logical ports: a controlled port and an uncontrolled port.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: