H3C S7500 Series Ethernet Switches Operation Manual
Operation Manual – 802.1x
H3C S7500 Series Ethernet Switches Chapter 1
802.1x Configuration
1-2
SupplicantPAE
Supplicant system
Authentication
server
Authentication
server system
Services provided by
authenticat or
Authenticator PAE
Authenticator system
Port under
control
Port not authorized
Port not
Under
control
LAN/WLAN
SupplicantPAE
Supplicant system
Authentication
server
Authentication
server system
Services provided by
authenticat or
Authenticator PAE
Authenticator system
Controlled port
Port not authorized
Uncontrolled
port
LAN/WLAN
SupplicantPAE
Supplicant system
Authentication
server
Authentication
server system
Services provided by
authenticat or
Authenticator PAE
Authenticator system
Port under
control
Port not authorized
Port not
Under
control
LAN/WLAN
Supplicant
PA E
Supplicant system
Authentication
server
Authentication
server system
Services provided by
authenticator
Authenticator
PA E
Authenticator system
Controlled port
Port not authorized
Uncontrolled
port
LAN/WLAN
SupplicantPAE
Supplicant system
Authentication
server
Authentication
server system
Services provided by
authenticat or
Authenticator PAE
Authenticator system
Port under
control
Port not authorized
Port not
Under
control
LAN/WLAN
SupplicantPAE
Supplicant system
Authentication
server
Authentication
server system
Services provided by
authenticat or
Authenticator PAE
Authenticator system
Controlled port
Port not authorized
Uncontrolled
port
LAN/WLAN
SupplicantPAE
Supplicant system
Authentication
server
Authentication
server system
Services provided by
authenticat or
Authenticator PAE
Authenticator system
Port under
control
Port not authorized
Port not
Under
control
LAN/WLAN
Supplicant
PA E
Supplicant system
Authentication
server
Authentication
server system
Services provided by
authenticator
Authenticator
PA E
Authenticator system
Controlled port
Port not authorized
Uncontrolled
port
LAN/WLAN
Figure 1-1 Architecture of 802.1x authentication
z The supplicant system is an entity residing at one end of the LAN segment and is
authenticated by the authenticator system connected to the other end of the LAN
segment. The supplicant system is usually a user terminal device. An 802.1x
authentication is initiated when a user launches the 802.1x client program on the
supplicant system. Note that the 802.1x client program must support the EAPoL
(extensible authentication protocol over LANs).
z The authenticator system authenticates the supplicant system. The authenticator
system is usually an 802.1x-supported network device (such as an H3C series
switch). It provides a port (physical or logical) for the supplicant system to access
the LAN.
z The authentication server system is an entity that provides authentication service
to the authenticator system. Normally in the form of a RADIUS server, the
authentication server system serves to perform AAA (authentication, authorization,
and accounting) . It also stores user information, such as user name, password,
the VLAN a user belongs to, priority, and the ACLs applied.
Following are the four basic concepts related with the above three entities, namely the
PAE, controlled port and uncontrolled port, control direction and control mode.
I. PAE
A PAE (port access entity) is responsible for the implementation of algorithms and
protocol operations in the authentication mechanism.
The authenticator system PAE authenticates supplicant systems through the
authentication server when they log into the LAN and controls the authorizing state of
the controlled ports according to the authentication results.
The supplicant system PAE responds to the authentication requests received from the
authenticator system and submits user authentication information to the authenticator
system. It can also send authentication and disconnection requests to the authenticator
system PAE.