The Mechanism Of An 802.1X Authentication System; Encapsulation Of Eapol Messages - H3C S3600 Series Operation Manual

Operation Manual – 802.1x
H3C S3600 Series Ethernet Switches-Release 1510
By default, a controlled port is a unidirectional port.
IV. The way a port is controlled
A port of a H3Cseries switch can be controlled in the following two ways.
Port-based authentication. When a port is controlled in this way, all the supplicant
systems connected to the port can access the network without being
authenticated after one supplicant system among them passes the authentication.
And when the authenticated supplicant system goes offline, the others are denied
as well.
MAC address-based authentication. All supplicant systems connected to a port
have to be authenticated individually in order to access the network. And when a
supplicant system goes offline, the others are not affected.

1.1.2 The Mechanism of an 802.1x Authentication System

IEEE 802.1x authentication system uses extensible authentication protocol (EAP) to
exchange information between supplicant systems and the authentication servers.
Supplicant system Supplicant system Supplicant system Supplicant system
PAE PAE PAE PAE
Figure 1-2 The mechanism of an 802.1x authentication system
EAP protocol packets transmitted between the supplicant system PAE and the
authenticator system PAE are encapsulated as EAPoL packets.
EAP protocol packets transmitted between the authenticator system PAE and the
RADIUS server can either be encapsulated as EAPoR (EAP over RADIUS)
packets or be terminated at system PAEs. The system PAEs then communicate
with RADIUS servers through PAP (password authentication protocol) or CHAP
(challenge-handshake authentication protocol] protocol packets.
When a supplicant system passes the authentication, the authentication server
passes the information about the supplicant system to the authenticator system.
The authenticator system in turn determines the state (authorized or unauthorized)
of the controlled port according to the instructions (accept or reject) received from
the RADIUS server.

1.1.3 Encapsulation of EAPoL Messages

I. The format of an EAPoL packet
EAPoL is a packet encapsulation format defined in 802.1x. To enable EAP protocol
packets to be transmitted between supplicant systems and authenticator systems
EAPoL EAPoL
Authenticator Authenticator Authenticator Authenticator
System PAE System PAE System PAE System PAE
1-3
Chapter 1 802.1x Configuration
EAP/PAP/CHAP exchanges EAP/PAP/CHAP exchanges EAP/PAP/CHAP exchanges EAP/PAP/CHAP exchanges
carried by RADIUS protocol carried by RADIUS protocol carried by RADIUS protocol carried by RADIUS protocol
Authentication server Authentication server Authentication server Authentication server