I. pae, Ii. controlled port and uncontrolled port, Iii. the valid direction of a controlled port – H3C Technologies H3C S3100 Series Switches User Manual

Operation Manual – 802.1x

H3C S3100-52P Ethernet Switch

Chapter 1 802.1x Configuration

1-2

z

The authenticator system is an entity residing at one end of a LAN segment. It
authenticates the supplicant systems connecting to the other end of the LAN
segment. The authenticator system is usually an 802.1x-supported network
device (such as a H3Cseries switch). It provides the port (physical or logical) for
the supplicant system to access the LAN.

z

The authentication server system is an entity that provides authentication service
to the authenticator system. Normally in the form of a RADIUS server, the
authentication server system serves to perform AAA (authentication, authorization,
and accounting) services to users. It also stores user information, such as user
name, password, the VLAN a user belongs to, priority, and the ACLs (access
control list) applied.

The four basic concept related to the above three entities are PAE, controlled port and
uncontrolled port, the valid direction of a controlled port and the way a port is controlled.

I. PAE

A PAE (port access entity) is responsible for implementing algorithms and performing
protocol-related operations in the authentication mechanism.
The authenticator system PAE authenticates the supplicant systems when they log into
the LAN and controls the authorizing state (on/off) of the controlled ports according to
the authentication result.
The supplicant system PAE responds to the authentication requests received from the
authenticator system and submits user authentication information to the authenticator
system. It also sends authentication requests and disconnection requests to the
authenticator system PAE.

II. Controlled port and uncontrolled port

The Authenticator system provides ports for supplicant systems to access a LAN.
Logically, a port of this kind is divided into a controlled port and an uncontrolled port.

z

The uncontrolled port can always send and receive packets. It mainly serves to
forward EAPoL packets to ensure that a supplicant system can send and receive
authentication requests.

z

The controlled port can be used to pass service packets when it is in authorized
state. It is blocked when not in authorized state. In this case, no packets can pass
through it.

z

Controlled port and uncontrolled port are two properties of a port. Packets
reaching a port are visible to both the controlled port and uncontrolled port of the
port.

III. The valid direction of a controlled port

When a controlled port is in unauthorized state, you can configure it to be a
unidirectional port, which sends packets to supplicant systems only.