Zte ZXR10 2900E series Configuration Manual page 120

ZXR10 2900E Series Configuration Guide
physical ports or MAC address, VLAN, or IP address of the user equipment), the
authentication system has two logical ports: controlled port and uncontrolled port.
1. The uncontrolled port is always in the state that the bidirectional connections are
available. It is used to transfer the EAPOL frames and can ensure that the client
can always send or receive the authentication.
2. The control port is enabled only when the authentication is passed. It is used to
transfer the network resource and services. The controlled port can be configured
as bidirectional controlled or input controlled to meet the requirement of different
applications. If the subscriber authentication is not passed, this subscriber cannot
visit the services provided by the authentication system.
3. The controlled port and uncontrolled port in the IEEE 802.1x protocol are logical
ports. There are no such physical ports on the equipment. The IEEE 802.1x
protocol sets up a local authentication channel for each subscriber and other
subscribers cannot use it. Thus, preventing the port from being used by other
subscribers after the port is enabled.
l
The authentication server is a RADIUS server.
subscriber information, such as the VLAN that the subscriber belongs to, CAR
parameters, priority, and subscriber access control list. After the authentication
of a subscriber is passed, the authentication server will pass the information of
this subscriber to the authentication system, which will create a dynamic access
control list. The subsequent flow of the subscriber will be monitored by the above
parameters.
through the RADIUS protocol.
RADIUS is a protocol standard used for the authentication, authorization, and exchange
of configuration data between the Radius server and Radius client.
RADIUS uses the Client/Server mode. The Client runs on the NAS. It is responsible
for sending the subscriber information to the specified Radius server and carrying out
operations according to the result returned by the server.
The Radius Authentication Server is responsible for receiving the subscriber connection
request, verifying the subscriber identity, and returning the configuration information
required by the customer. A Radius Authentication Server can serve as a RADIUS
customer proxy to connect to another Radius Authentication Server.
The Radius Accounting Server is responsible for receiving the subscriber billing start
request and subscriber billing stop request, and completing the billing function.
The NAS communicates with the Radius Server through RADIUS packets. Attributes in
the RADIUS packets are used to transfer the detailed authentication, authorization, and
billing information.
The EAP protocol is used between the switch and the subscriber. Three types of identity
authentication methods are provided between the RADIUS servers: PAP, CHAP, and
EAP-MD5. Any of the methods can be used according to different service operation
requirements.
l Password Authentication Protocol (PAP)
SJ-20130731155059-002|2013-11-27 (R1.0)
The authentication system communicates with the RADIUS server
5-72
This server can store a lot of
ZTE Proprietary and Confidential