Chapter 1 802.1X Configuration; Overview; Standard Overview; System Architecture - Huawei Quidway S6500 Series Operation Manual

Operation Manual - Security
Quidway S6500 Series Ethernet Switches

Chapter 1 802.1x Configuration

1.1 802.1x Overview
1.1.1 802.1x Standard Overview
IEEE 802.1x (hereinafter simplified as 802.1x) is a Port Based Network Access Control
protocol that is used as the standard for LAN user access authentication.
"Port Based Network Access Control" means to authenticate and control all the
accessed devices on the port of LAN access control device. If the user's device
connected to the port can pass the authentication, the user can access the resources in
the LAN. Otherwise, the user cannot access the resources in the LAN. It equals that the
user is physically disconnected.
802.1x defines port based network access control protocol and only defines the
point-to-point connection between the access device and the access port. The port can
be either physical or logical. The typical application environment is as follows: Each
physical port of the LAN Switch only connects to one user workstation (based on the
physical port) and the wireless LAN access environment defined by the IEEE 802.11
standard (based on the logical port), etc.
1.1.2 802.1x System Architecture
The system using the 802.1x is the typical C/S (Client/Server) system architecture. It
contains three entities, which are illustrated in the following figure: Supplicant System,
Authenticator System and Authentication Server System.
The LAN access control device needs to provide the Authenticator System of 802.1x.
The devices at the user side such as the computers need to be installed with the 802.1x
client Supplicant software, for example, the 802.1x client provided by Huawei
Technologies Co., Ltd. (or by Microsoft Windows XP). The 802.1x Authentication
Server system normally stays in the carrier's AAA center.
Authenticator and Authentication Server exchange information through EAP
(Extensible Authentication Protocol) frames. The Supplicant and the Authenticator
exchange information through the EAPoL (Extensible Authentication Protocol over
LANs) frame defined by IEEE 802.1x. Authentication data are encapsulated in the EAP
frame, which is to be encapsulated in the packets of other AAA upper layer protocols
(e.g. RADIUS) so as to go through the complicated network to reach the Authentication
Server. Such procedure is called EAP Relay.
There are two types of ports for the Authenticator. One is the Uncontrolled Port, and the
other is the Controlled Port. The Uncontrolled Port is always in bi-directional connection
state. The user can access and share the network resources any time through the ports.
Huawei Technologies Proprietary
1-1
Chapter 1 802.1x Configuration