beautypg.com

Authentication modes of 802.1x, Basic concepts of 802.1x, Controlled port and uncontrolled port – H3C Technologies H3C WX6000 Series Access Controllers User Manual

Page 383: Authorized state and unauthorized state

background image

35-2

Server is the entity that provides authentication services to Device. Server, normally running

RADIUS (Remote Authentication Dial-in User Service), serves to perform authentication,

authorization, and accounting services for users.

Authentication Modes of 802.1X

The 802.1X authentication system employs the Extensible Authentication Protocol (EAP) to exchange

authentication information between the client, device, and authentication server.

Between the client and the device, EAP protocol packets are encapsulated using EAPOL to be

transferred on the LAN.

Between the device and the RADIUS server, EAP protocol packets can be exchanged in two

modes: EAP relay and EAP termination. In EAP relay mode, EAP packets are encapsulated in EAP

over RADIUS (EAPOR) packets on the device, and then relayed by device to the RADIUS server.

In EAP termination mode, EAP packets are terminated at the device, converted to RADIUS

packets either with the Password Authentication Protocol (PAP) or Challenge Handshake

Authentication Protocol (CHAP) attribute, and then transferred to the RADIUS server.

Basic Concepts of 802.1X

These basic concepts are involved in 802.1X: controlled port/uncontrolled port, authorized

state/unauthorized state, and control direction.

Controlled port and uncontrolled port

A device provides ports for clients to access the LAN. Each port can be regarded as a unity of two

logical ports: a controlled port and an uncontrolled port. Any packets arriving at the port are visible to

both of the logical ports.

The uncontrolled port is always open in both the inbound and outbound directions to allow EAPOL

protocol packets to pass, guaranteeing that the client can always send and receive authentication

packets.

The controlled port is open to allow data traffic to pass only when it is in the authorized state.

Authorized state and unauthorized state

A controlled port can be in either authorized state or unauthorized state, which depends on the

authentication result, as shown in

Figure 35-2

.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: