3Com 4200G 12-Port Configuration Manual page 164

150 C 21: 802.1
HAPTER
The Mechanism of an
802.1x Authentication
System
C
X ONFIGURATION
PAE
A PAE (port access entity) is responsible for the implementation of algorithm and
protocol-related operations in the authentication mechanism.
The authenticator system PAE authenticates the supplicant systems when they log
into the LAN and controls the authorizing state (on/off) of the controlled ports
according to the authentication result.
The supplicant system PAE responds to the authentication requests received from the
authenticator system and submits user authentication information to the
authenticator system. It can also send authentication and disconnection requests to
the authenticator system PAE.
Controlled port and uncontrolled port
The Authenticator system provides ports for supplicant systems to access a LAN. A
port of this kind is divided into a controlled port and an uncontrolled port.
The uncontrolled port can always send and receive packets. It mainly serves to
■
forward EAPoL packets to ensure that a supplicant system can send and receive
authentication requests.
The controlled port can be used to pass service packets when it is in authorized
■
state. It is blocked when not in authorized state. In this case, no packets can pass
through it.
Controlled port and uncontrolled port are two properties of a access port. Packets
■
reaching an access port are visible to both the controlled port and uncontrolled
port of the access port.
The valid direction of a controlled port
When a controlled port is in unauthorized state, you can configure it to be a
unidirectional port, which sends packets to supplicant systems only.
By default, a controlled port is a unidirectional port.
IV. The way a port is controlled
A port of a S4200G series switch can be controlled in the following two ways.
Port-based authentication. When a port is controlled in this way, all the supplicant
■
systems connected to the port can access the network without being
authenticated after one supplicant system among them passes the authentication.
And when the authenticated supplicant system goes offline, the others are denied
as well.
MAC address-based authentication. All supplicant systems connected to a port
■
have to be authenticated individually in order to access the network. And when a
supplicant system goes offline, the others are not affected.
IEEE 802.1x authentication system uses extensible authentication protocol (EAP) to
exchange information between the supplicant system and the authentication server.
Figure 44 The mechanism of an 802.1x authentication system
Supplicant system Supplicant system Supplicant system Supplicant system
PAE PAE PAE PAE
EAPoL EAPoL
Authenticator Authenticator Authenticator Authenticator
System PAE System PAE System PAE System PAE
EAP/PAP/CHAP exchanges EAP/PAP/CHAP exchanges EAP/PAP/CHAP exchanges EAP/PAP/CHAP exchanges
carried by RADIUS protocol carried by RADIUS protocol carried by RADIUS protocol carried by RADIUS protocol
Authentication server Authentication server Authentication server Authentication server