Controlled port and uncontrolled port, Shown in, Figure 1-1 – H3C Technologies H3C S3600 Series Switches User Manual

1-2

Figure 1-1 Architecture of 802.1x authentication

z

The supplicant system is an entity residing at one end of a LAN segment and is authenticated by

the authenticator system at the other end of the LAN segment. The supplicant system is usually a

user terminal device. An 802.1x authentication is triggered when a user launches client program on

the supplicant system. Note that the client program must support the extensible authentication

protocol over LAN (EAPoL).

z

The authenticator system is another entity residing at one end of a LAN segment. It authenticates

the connected supplicant systems. The authenticator system is usually an 802.1x-supported

network device (such as a H3C series switch). It provides the port (physical or logical) for the

supplicant system to access the LAN.

z

The authentication server system is an entity that provides authentication service to the

authenticator system. Normally in the form of a RADIUS server, the authentication server system

serves to perform Authentication, Authorization, and Accounting (AAA) services to users. It also

stores user information, such as user name, password, the VLAN a user belongs to, priority, and

the Access Control Lists (ACLs) applied.

The four basic concepts related to the above three entities are PAE, controlled port and uncontrolled

port, the valid direction of a controlled port and the way a port is controlled.

PAE

A port access entity (PAE) is responsible for implementing algorithms and performing protocol-related

operations in the authentication mechanism.

z

The authenticator system PAE authenticates the supplicant systems when they log into the LAN

and controls the status (authorized/unauthorized) of the controlled ports according to the

authentication result.

z

The supplicant system PAE responds to the authentication requests received from the

authenticator system and submits user authentication information to the authenticator system. It

also sends authentication requests and disconnection requests to the authenticator system PAE.

Controlled port and uncontrolled port

The authenticator system provides ports for supplicant systems to access a LAN. Logically, a port of this

kind is divided into a controlled port and an uncontrolled port.

z

The uncontrolled port can always send and receive packets. It mainly serves to forward EAPoL

packets to ensure that a supplicant system can send and receive authentication requests.