H3C S7500E Series Ethernet Switches Operation Manual
Operation Manual – 802.1x - MAC Authentication
H3C S7500E Series Ethernet Switches Chapter 1 802.1x Configuration
1-2
Figure 1-1 Architecture of 802.1x
z Supplicant system: A system at one end of the LAN segment, which is
authenticated by the authenticator system at the other end. A supplicant system is
usually a user-end device and initiates 802.1x authentication through 802.1x client
software supporting the EAP over LANs (EAPOL) protocol.
z Authenticator system: A system at the other end of the LAN segment, which
authenticates the connected supplicant system. An authenticator system is
usually an 802.1x-enabled network device and provides ports (physical or logical)
for supplicants to access the LAN.
z Authentication server system: The system providing authentication, authorization,
and accounting services for the authenticator system. The authentication server,
usually a Remote Authentication Dial-in User Service (RADIUS) server, maintains
user information like username, password, VLAN that the user belongs to,
committed access rate (CAR) parameters, priority, and ACLs.
The above systems involve three basic concepts: PAE, controlled port, control
direction.
I. PAE
Port access entity (PAE) refers to the entity that performs the 802.1x algorithm and
protocol operations.
z The authenticator PAE uses the authentication server to authenticate a supplicant
trying to access the LAN and controls the status of the controlled port according to
the authentication result, putting the controlled port in the authorized or
unauthorized state. In authorized state, the port allows user data to pass, enabling
the supplicant(s) to access the network resources; while in unauthorized state, the
port denies all data of the supplicant(s).
z The supplicant PAE responds to the authentication request of the authenticator
PAE and provides authentication information. The supplicant PAE can also send
authentication requests and logoff requests to the authenticator.