The Mechanism Of An 802.1X Authentication System - H3C S5600 Series Operation Manual

Operation Manual – 802.1x and System Guard
H3C S5600 Series Ethernet Switches
The authenticator system PAE authenticates the supplicant systems when they
log into the LAN and controls the status (authorized/unauthorized) of the
controlled ports according to the authentication result.
The supplicant system PAE responds to the authentication requests received from
the authenticator system and submits user authentication information to the
authenticator system. It also sends authentication requests and disconnection
requests to the authenticator system PAE.
II. Controlled port and uncontrolled port
The authenticator system provides ports for supplicant systems to access a LAN.
Logically, a port of this kind is divided into a controlled port and an uncontrolled port.
The uncontrolled port can always send and receive packets. It mainly serves to
forward EAPoL packets to ensure that a supplicant system can send and receive
authentication requests.
The controlled port can be used to pass service packets when it is in authorized
state. It is blocked when not in authorized state. In this case, no packets can pass
through it.
Controlled port and uncontrolled port are two properties of a port. Packets
reaching a port are visible to both the controlled port and uncontrolled port of the
port.
III. The valid direction of a controlled port
When a controlled port is in unauthorized state, you can configure it to be a
unidirectional port, which sends packets to supplicant systems only.
By default, a controlled port is a unidirectional port.
IV. The way a port is controlled
A port of a H3C series switch can be controlled in the following two ways.
Port-based authentication. When a port is controlled in this way, all the supplicant
systems connected to the port can access the network without being
authenticated after one supplicant system among them passes the authentication.
And when the authenticated supplicant system goes offline, the others are denied
as well.
MAC-based authentication. All supplicant systems connected to a port have to be
authenticated individually in order to access the network. And when a supplicant
system goes offline, the others are not affected.

1.1.2 The Mechanism of an 802.1x Authentication System

IEEE 802.1x authentication system uses the Extensible Authentication Protocol (EAP)
to exchange information between the supplicant system and the authentication server.
1-3
Chapter 1 802.1x Configuration