The Mechanism Of An 802.1X Authentication System - H3C S5100-SI Operation Manual
Ethernet switches
Hide thumbs
Also See for H3C S5100-SI:
- Operation manual (934 pages) ,
- Installation manual (104 pages) ,
- Quick start manual (78 pages)
Table of Contents
Advertisement
The uncontrolled port can always send and receive packets. It mainly serves to forward
EAPoL packets to ensure that a supplicant system can send and receive authentication
requests.
The controlled port can be used to pass service packets when it is in authorized state.
It is blocked when not in authorized state. In this case, no packets can pass through it.
Controlled port and uncontrolled port are two properties of a port. Packets reaching a
port are visible to both the controlled port and uncontrolled port of the port.
The valid direction of a controlled port
When a controlled port is in unauthorized state, you can configure it to be a unidirectional
port, which sends packets to supplicant systems only.
By default, a controlled port is a unidirectional port.
The way a port is controlled
A port of a H3C series switch can be controlled in the following two ways.
Port-based authentication. When a port is controlled in this way, all the supplicant
systems connected to the port can access the network without being authenticated
after one supplicant system among them passes the authentication. And when the
authenticated supplicant system goes offline, the others are denied as well.
MAC-based authentication. All supplicant systems connected to a port have to be
authenticated individually in order to access the network. And when a supplicant
system goes offline, the others are not affected.
The Mechanism of an 802.1x Authentication System
IEEE 802.1x authentication system uses the Extensible Authentication Protocol (EAP) to
exchange information between the supplicant system and the authentication server.
Figure 1-2 The mechanism of an 802.1x authentication system
EAP protocol packets transmitted between the supplicant system PAE and the
authenticator system PAE are encapsulated as EAPoL packets.
EAP protocol packets transmitted between the authenticator system PAE and the
RADIUS server can either be encapsulated as EAP over RADIUS (EAPoR) packets or
be terminated at system PAEs. The system PAEs then communicate with RADIUS
servers through Password Authentication Protocol (PAP) or Challenge-Handshake
Authentication Protocol (CHAP) packets.
When a supplicant system passes the authentication, the authentication server passes
the information about the supplicant system to the authenticator system. The
authenticator system in turn determines the state (authorized or unauthorized) of the
controlled port according to the instructions (accept or reject) received from the
RADIUS server.
1-3
Advertisement
Chapters
Table of Contents
Troubleshooting
