H3C S5120-EI Series Operation Manual page 634

The uncontrolled port is always open in both the inbound and outbound directions to allow EAPOL
protocol frames to pass, guaranteeing that the client can always send and receive authentication
frames.
The controlled port is open to allow data traffic to pass only when it is in the authorized state.
The controlled port and uncontrolled port are two parts of the same port. Any frames arriving at the
port are visible to both of them.
Authorized state and unauthorized state
The device uses the authentication server to authenticate a client trying to access the LAN and controls
the status of the controlled port depending on the authentication result, putting the controlled port in the
authorized state or unauthorized state, as shown in
Figure 1-2 Authorized/unauthorized status of a controlled port
You can set the access control mode of a specified port to control the authorization status. The access
control modes include:
authorized-force: Places the port in the authorized state, allowing users of the ports to access the
network without authentication.
unauthorized-force: Places the port in the unauthorized state, denying any access requests from
users of the ports.
auto: Places the port in the unauthorized state initially to allow only EAPOL frames to pass, and
turns the ports into the authorized state to allow access to the network after the users pass
authentication. This is the most common choice.
Control direction
In the unauthorized state, the controlled port can be set to deny traffic to and from the client or just the
traffic from the client.
Currently, your device can only be set to deny traffic from the client.
Figure 1-2.
1-4