HP ProCurve 9304M Security Manual page 90

Security Guide for ProCurve 9300/9400 Series Routing Switches
Figure 4.3 Controlled and Uncontrolled Ports before and after Client authentication
Authentication Authentication
Server Server
HP Device HP Device
(Authenticator) (Authenticator)
802.1X-Enabled 802.1X-Enabled
Supplicant Supplicant
Before Authentication After Authentication
Before a Client is authenticated, only the uncontrolled port on the Authenticator is open. The uncontrolled port
allows only EAPOL frames to be exchanged between the Client and the Authentication Server. The controlled
port is in the unauthorized state and allows no traffic to pass through.
During authentication, EAPOL messages are exchanged between the Supplicant PAE and the Authenticator PAE,
and RADIUS messages are exchanged between the Authenticator PAE and the Authentication Server. See
"Message Exchange During Authentication" on page 4-4 for an example of this process. If the Client is
successfully authenticated, the controlled port becomes authorized, and traffic from the Client can flow through
the port normally.
By default, all controlled ports on the HP device are placed in the authorized state, allowing all traffic. When
authentication is activated on an 802.1X-enabled interface, the interface's controlled port is placed initially in the
unauthorized state. When a Client connected to the port is successfully authenticated, the controlled port is then
placed in the authorized state until the Client logs off. See "Enabling 802.1X Port Security" on page 4-10 for more
information.
Message Exchange During Authentication
Figure 4.4 illustrates a sample exchange of messages between an 802.1X-enabled Client, an HP device acting as
Authenticator, and a RADIUS server acting as an Authentication Server.
4 - 4 June 2005