The valid direction of a controlled port, The way a port is controlled, The mechanism of an 802.1x authentication system – H3C Technologies H3C S3600 Series Switches User Manual
Page 476: Encapsulation of eapol messages, The format of an eapol packet
1-3
z
The controlled port can be used to pass service packets when it is in authorized state. It is blocked
when not in authorized state. In this case, no packets can pass through it.
z
Controlled port and uncontrolled port are two properties of a port. Packets reaching a port are
visible to both the controlled port and uncontrolled port of the port.
The valid direction of a controlled port
When a controlled port is in unauthorized state, you can configure it to be a unidirectional port, which
sends packets to supplicant systems only.
By default, a controlled port is a unidirectional port.
The way a port is controlled
A port of a H3C series switch can be controlled in the following two ways.
z
Port-based authentication. When a port is controlled in this way, all the supplicant systems
connected to the port can access the network without being authenticated after one supplicant
system among them passes the authentication. And when the authenticated supplicant system
goes offline, the others are denied as well.
z
MAC-based authentication. All supplicant systems connected to a port have to be authenticated
individually in order to access the network. And when a supplicant system goes offline, the others
are not affected.
The Mechanism of an 802.1x Authentication System
IEEE 802.1x authentication system uses the Extensible Authentication Protocol (EAP) to exchange
information between the supplicant system and the authentication server.
Figure 1-2 The mechanism of an 802.1x authentication system
z
EAP protocol packets transmitted between the supplicant system PAE and the authenticator
system PAE are encapsulated as EAPoL packets.
z
EAP protocol packets transmitted between the authenticator system PAE and the RADIUS server
can either be encapsulated as EAP over RADIUS (EAPoR) packets or be terminated at system
PAEs. The system PAEs then communicate with RADIUS servers through Password
Authentication Protocol (PAP) or Challenge-Handshake Authentication Protocol (CHAP) packets.
z
When a supplicant system passes the authentication, the authentication server passes the
information about the supplicant system to the authenticator system. The authenticator system in
turn determines the state (authorized or unauthorized) of the controlled port according to the
instructions (accept or reject) received from the RADIUS server.
Encapsulation of EAPoL Messages
The format of an EAPoL packet
EAPoL is a packet encapsulation format defined in 802.1x. To enable EAP protocol packets to be
transmitted between supplicant systems and authenticator systems through LANs, EAP protocol
packets are encapsulated in EAPoL format. The following figure illustrates the structure of an EAPoL
packet.