n
Operation of 802.1x
EAP Encapsulation over
LANs
The uncontrolled port is always open in both the inbound and outbound
■
directions to allow EAPOL protocol frames to pass, guaranteeing that the
supplicant can always send and receive authentication frames.
The controlled port is open to allow normal traffic to pass only when it is in the
■
authorized state.
The controlled port and uncontrolled port are two parts of the same port. Any
■
frames arriving at the port are visible to both of them.
Control direction
In the unauthorized state, the controlled port can be set to deny traffic to and
from the supplicant or just the traffic from the supplicant.
Currently, the devices support only denying the traffic from the supplicant.
The 802.1x authentication system employs the Extensible Authentication Protocol
(EAP) to exchange authentication information between the supplicant PAE,
authenticator PAE, and authentication server.
Figure 211 Operation of 802.1x
EAPOL
Supplicant system
PAE
Between the supplicant PAE and authenticator PAE, EAP protocol packets are
■
encapsulated using EAP Encapsulation over LANs and transferred over the LAN.
Between the authenticator PAE and authentication server, EAP protocol packets
■
can be handled in two modes: EAP relay and EAP termination. In EAP relay
mode, EAP protocol packets are encapsulated by using the EAP Encapsulation
over RADIUS (Remote Authentication Dial-In User Service) and then relayed to
the RADIUS server. In EAP termination mode, EAP protocol packets are
terminated at the authenticator PAE, repackaged in the Password
Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol
(CHAP) attributes of RADIUS packets, and then transferred to the RADIUS
server.
After a user passes the authentication, the authentication server passes
■
information about the user to the authenticator, which then controls the status
of the controlled port according to the instruction of the authentication server.
EAPOL frame format
EAPOL, defined by 802.1x, is intended to carry EAP protocol packets between
supplicants and authenticators over LANs. Figure 212 shows the EAPOL frame
format.
RADIUS
Authenticator system
PAE
802.1x Overview
717
Authentication server
system