3Com Switch 7750 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

381

382

383

384

385

386

387

388

389

390

390 CHAPTER 39: 802.1X CONFIGURATION

the authentication server system serves to perform AAA (authentication,

authorization, and accounting). It also stores user information, such as user

name, password, the VLAN a user belongs to, priority, and the ACLs (access

control list) applied.

Following are the four basic concept related with the above three entities, namely

the PAE, controlled port and uncontrolled port, the valid direction of a controlled

port and the way a port is controlled.

PAE

A PAE (port access entity) is responsible for the implementation of algorithm and

protocol-related operations in the authentication mechanism.

The authenticator system PAE authenticates the supplicant systems when they log

into the LAN and controls the authorizing state (on/off) of the controlled ports

according to the authentication result.

The supplicant system PAE responds to the authentication requests received from

the authenticator system and submits user authentication information to the

authenticator system. It can also send authentication and disconnection requests

to the authenticator system PAE.

Controlled port and uncontrolled port

The Authenticator system provides ports for supplicant systems to access a LAN. A

port of this kind is divided into a controlled port and an uncontrolled port.

■ The uncontrolled port can always send and receive packets. It mainly serves to

forward EAPoL packets to ensure that a supplicant system can send and receive

authentication requests.

■ The controlled port can be used to pass service packets when it is in authorized

state. It is blocked when not in authorized state. In this case, no packets can

pass through it.

■ Controlled port and uncontrolled port are two properties of a access port.

Packets reaching an access port are visible to both the controlled port and

uncontrolled port of the access port.

The valid direction of a controlled port

When a controlled port is in unauthorized state, you can configure it to be a

unidirectional port, which sends packets to supplicant systems only.

By default, a controlled port is a unidirectional port.

The way a port is controlled

A port of a 3Com series switch can be controlled in the following two ways.

■ Port-based authentication. When a port is controlled in this way, all the

supplicant systems connected to the port can access the network without

being authenticated after one supplicant system among them passes the

authentication. And when the authenticated supplicant system goes offline,

the others are denied as well.

■ MAC address-based authentication. All supplicant systems connected to a port

have to be authenticated individually in order to access the network. And when

a supplicant system goes offline, the others are not affected.