3Com 4500 Configuration Manual page 298

Figure 1-1 Architecture of 802.1x authentication
The supplicant system is the entity seeking access to the LAN. It resides at one end of a LAN
segment and is authenticated by the authenticator system at the other end of the LAN segment.
The supplicant system is usually a user terminal device. An 802.1x authentication is triggered when
a user launches an 802.1x-capable client program on the supplicant system. Note that the client
program must support the extensible authentication protocol over LAN (EAPoL).
The authenticator system, residing at the other end of the LAN segment, is the entity that
authenticates the connected supplicant system. The authenticator system is usually an
802.1x-supported network device, such as an H3C series switch. It provides the port (physical or
logical) for the supplicant system to access the LAN.
The authentication server system is the entity that provides authentication services to the
authenticator system. The authentication server system, usually a RADIUS server, serves to
perform Authentication, Authorization, and Accounting (AAA) services to users. It also stores user
information, such as user name, password, the VLAN a user should belong to, priority, and any
Access Control Lists (ACLs) to be applied.
There are four additional basic concepts related 802.1x: port access entity (PAE), controlled port and
uncontrolled port, the valid direction of a controlled port and the access control method on ports.
I. PAE
A port access entity (PAE) is responsible for implementing algorithms and performing protocol-related
operations in the authentication mechanism.
The authenticator system PAE authenticates the supplicant systems when they log into the LAN
and controls the status (authorized/unauthorized) of the controlled ports according to the
authentication result.
The supplicant system PAE responds to the authentication requests received from the
authenticator system and submits user authentication information to the authenticator system. It
also sends authentication requests and disconnection requests to the authenticator system PAE.
Controlled port and uncontrolled port
The authenticator system provides ports for supplicant systems to access a LAN. Logically, a port of this
kind is divided into a controlled port and an uncontrolled port.
The uncontrolled port can always send and receive packets. It mainly serves to forward EAPoL
packets to ensure that a supplicant system can send and receive authentication requests.
1-2