Planet Networking & Communication WGSW-50040 Configuration Manual page 196


The authenticator system is another entity on one end of the LAN segment to authenticate the
supplicant systems connected. An authenticator system usually is a network device supporting
802,1x protocol, providing ports to access the LAN for supplicant systems. The ports provided can
either be physical or logical.

The authentication server system is an entity to provide authentication service for authenticator
systems. The authentication server system is used to authenticate and authorize users, as well as
does fee-counting, and usually is a RADIUS (Remote Authentication Dial-In User Service) server,
which can store the relative user information, including username, password and other parameters
such as the VLAN and ports which the user belongs to.
The three entities above concerns the following basic concepts: PAE of the port, the controlled ports and the
controlled direction.
1. PAE
PAE (Port Access Entity) is the entity to implement the operation of algorithms and protocols.

The PAE of the supplicant system is supposed to respond the authentication request from the
authenticator systems and submit user's authentication information to the authenticator system. It
can also send authentication request and off-line request to authenticator.

The PAE of the authenticator system authenticates the supplicant systems needing to access the
LAN via the authentication server system, and deal with the authenticated/unauthenticated state of
the controlled port according to the result of the authentication. The authenticated state means the
user is allowed to access the network resources, the unauthenticated state means only the EAPOL
messages are allowed to be received and sent while the user is forbidden to access network
resources.
2. controlled/uncontrolled ports
The authenticator system provides ports to access the LAN for the supplicant systems. These ports can be
divided into two kinds of logical ports: controlled ports and uncontrolled ports.

The uncontrolled port is always in bi-directionally connected status, and mainly used to transmit
EAPOL protocol frames, to guarantee that the supplicant systems can always send or receive
authentication messages.

The controlled port is in connected status authenticated to transmit service messages. When
unauthenticated, no message from supplicant systems is allowed to be received.

The controlled and uncontrolled ports are two parts of one port, which means each frame reaching
this port is visible on both the controlled and uncontrolled ports.
3. Controlled direction
In unauthenticated status, controlled ports can be set as unidirectional controlled or bi-directionally controlled.

When the port is bi-directionally controlled, the sending and receiving of all frames is forbidden.

When the port is unidirectional controlled, no frames can be received from the supplicant systems
while sending frames to the supplicant systems is allowed.
At present, this kind of switch only supports unidirectional control.
25-2