H3C S3610-28P Operation Manual page 873

Operation Manual – 802.1x-HABP-MAC Authentication
H3C S3610&S5510 Series Ethernet Switches
Figure 1-1 Architecture of 802.1x
Supplicant system: A system at one end of the LAN segment, which is
authenticated by the authenticator system at the other end. A supplicant system is
usually a user-end device and initiates 802.1x authentication through 802.1x client
software supporting the EAP over LANs (EAPOL) protocol.
Authenticator system: A system at the other end of the LAN segment, which
authenticates the connected supplicant system. An authenticator system is
usually an 802.1x-enabled network device and provides ports (physical or logical)
for supplicants to access the LAN.
Authentication server system: The system providing authentication, authorization,
and accounting services for the authenticator system. The authentication server,
usually a Remote Authentication Dial-in User Service (RADIUS) server, maintains
user information like username, password, VLAN that the user belongs to,
committed access rate (CAR) parameters, priority, and ACLs.
The above systems involve three basic concepts: PAE, controlled port, control
direction.
I. PAE
Port access entity (PAE) refers to the entity that performs the 802.1x algorithm and
protocol operations.
The authenticator PAE uses the authentication server to authenticate a supplicant
trying to access the LAN and controls the status of the controlled port according to
the authentication result, putting the controlled port in the state of authorized or
unauthorized. In authorized state, the supplicant can access network resources
without authentication; in unauthorized state, the supplicant can receive and send
EAPOL frames rather than accessing network resources.
The supplicant PAE responds to the authentication request of the authenticator
PAE and provides authentication information. The supplicant PAE can also send
authentication requests and logoff requests to the authenticator.
1-2
Chapter 1 802.1x Configuration