HP ProCurve 9304M Security Manual page 89

Configuring 802.1X Port Security
EAPOL messages are passed between the Port Access Entity (PAE) on the Supplicant and the Authenticator.
Figure 4.2 shows the relationship between the Authenticator PAE and the Supplicant PAE.
Figure 4.2 Authenticator PAE and Supplicant PAE
Authentication
Server
HP Device
(Authenticator)
802.1X-Enabled
Supplicant
Authenticator PAE – The Authenticator PAE communicates with the Supplicant PAE, receiving identifying
information from the Supplicant. Acting as a RADIUS client, the Authenticator PAE passes the Supplicant's
information to the Authentication Server, which decides whether the Supplicant can gain access to the port. If the
Supplicant passes authentication, the Authenticator PAE grants it access to the port.
Supplicant PAE – The Supplicant PAE supplies information about the Client to the Authenticator PAE and
responds to requests from the Authenticator PAE. The Supplicant PAE can also initiate the authentication
procedure with the Authenticator PAE, as well as send logoff messages.
Controlled and Uncontrolled Ports
A physical port on the device used with 802.1X port security has two virtual access points: a controlled port and
an uncontrolled port. The controlled port provides full access to the network. The uncontrolled port provides
access only for EAPOL traffic between the Client and the Authentication Server. When a Client is successfully
authenticated, the controlled port is opened to the Client. Figure 4.3 illustrates this concept.
June 2005 4 - 3