Table of Contents
Advertisement
l
The authentication system is generally network equipment that supports the
IEEE802.1x protocol, for example, the switch. Corresponding to the ports of different
subscribers (the ports could be physical ports or MAC address, VLAN, or IP address
of the user equipment), the authentication system has two logical ports: controlled
port and uncontrolled port.
1. The uncontrolled port is always in the state that the bidirectional connections are
available. It is used to transfer the EAPOL frames and can ensure that the client
can always send or receive the authentication.
2. The control port is enabled only when the authentication is passed. It is used to
transfer the network resource and services. The controlled port can be configured
as bidirectional controlled or input controlled to meet the requirement of different
applications. If the subscriber authentication is not passed, this subscriber cannot
visit the services provided by the authentication system.
3. The controlled port and uncontrolled port in the IEEE 802.1x protocol are logical
ports. There are no such physical ports on the equipment. The IEEE 802.1x
protocol sets up a local authentication for each subscriber that other subscribers
cannot use. Thus, there will not be such a problem that the port is used by other
subscribers after the port is enabled.
l
The authentication server is generally a RADIUS server. This server can store a
lot of subscriber information, such as VLAN that the subscriber belongs to, CAR
parameters, priority, subscriber access control list, and so on. After the authentication
of a subscriber is passed, the authentication server will pass the information of
this subscriber to the authentication system, which will create a dynamic access
control list. The subsequent flow of the subscriber will be monitored by the above
parameters.
through the RADIUS protocol.
RADIUS is a protocol standard used for the authentication, authorization, and exchange
of configuration data between the Radius server and Radius client.
RADIUS adopts the Client/Server mode. The Client runs on the NAS. It is responsible
for sending the subscriber information to the specified Radius server and carrying out
operations according to the result returned by the server.
The Radius Authentication Server is responsible for receiving the subscriber connection
request, verifying the subscriber identity, and returning the configuration information
required by the customer. A Radius Authentication Server can serve as a RADIUS
customer proxy to connect to another Radius Authentication Server.
The Radius Accounting Server is responsible for receiving the subscriber billing start
request and subscriber billing stop request, and completing the billing function.
The NAS communicates with the Radius Server through RADIUS packets. Attributes in the
RADIUS packets are used to transfer the detailed authentication, authorization, and billing
information. The attributes used by this switch are primarily standard attributes defined in
the rfc2865, rfc2866, and rfc2869.
The EAP protocol is used between the switch and the subscriber. Three types of identity
authentication methods are provided between the RADIUS servers: PAP, CHAP, and
SJ-20120409144109-002|2012-07-02(R1.0)
The authentication system communicates with the RADIUS server
4-67
Chapter 4 Service Configuration
ZTE Proprietary and Confidential
Hide quick links:
Advertisement
Chapters
Table of Contents
