3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

911

912

913

914

915

916

917

918

919

920

918 CHAPTER 71: 802.1X CONFIGURATION

Figure 265 Architecture of 802.1x

■ Supplicant system: A system at one end of the LAN segment, which is

authenticated by the system at the other end. A supplicant system is usually a

user-end device and initiates 802.1x authentication through 802.1x client

software supporting the EAP over LANs (EAPOL) protocol.

■ Authenticator system: A system at one end of the LAN segment, which

authenticates the system at the other end. An authenticator system is usually

an 802.1x-enabled network device and provides ports (physical or logical) for

supplicants to access the LAN.

■ Authentication server system: The system providing authentication,

authorization, and accounting services for the authenticator system.

The above systems involve three basic concepts: PAE, Controlled port, Control

direction.

PAE

Port access entity (PAE) refers to the entity on a given port of a device that

performs the 802.1x algorithm and protocol operations. The authenticator PAE

uses the authentication server to authenticate a supplicant trying to access the

LAN and controls the status of the controlled port according to the authentication

result, putting the controlled port in the state of authorized or unauthorized. The

supplicant PAE responds to the authentication request of the authenticator PAE

and provides authentication information. The supplicant PAE can also send

authentication requests and logoff requests to the authenticator.

Controlled port

An authenticator provides ports for supplicants to access the LAN. Each of the

ports can be regarded as two logical ports: a controlled port and an uncontrolled

port.

■ The uncontrolled port is always open in both the inbound and outbound

directions to allow EAPOL protocol frames to pass, guaranteeing that the

supplicant can always send and receive authentication frames.

■ The controlled port is open to allow normal traffic to pass only when it is in the

authorized state.

■ The controlled port and uncontrolled port are two parts of the same port. Any

frames arriving at the port are visible to both of them.

Supplicant PAE

Supplicant system

Services offered by

authenticator ÿs

system

Authenticator

PAE

Authenticator system

Authentication

server system

Authentication

server

EAP protocol

exchanges

carried in

higher layer

protocol

Port

unauthorized

LAN/ WLAN