H3C S7500 Series Operation Manual page 499

Operation Manual – 802.1x
H3C S7500 Series Ethernet Switches
Supplicant system Supplicant system Supplicant system Supplicant system Supplicant system Supplicant system Supplicant system Supplicant system
Supplicant Supplicant
SupplicantPAE SupplicantPAE SupplicantPAE SupplicantPAE SupplicantPAE SupplicantPAE
PAE PAE
Figure 1-1 Architecture of 802.1x authentication
The supplicant system is an entity residing at one end of the LAN segment and is
authenticated by the authenticator system connected to the other end of the LAN
segment. The supplicant system is usually a user terminal device. An 802.1x
authentication is initiated when a user launches the 802.1x client program on the
supplicant system. Note that the 802.1x client program must support the EAPoL
(extensible authentication protocol over LANs).
The authenticator system authenticates the supplicant system. The authenticator
system is usually an 802.1x-supported network device (such as an H3C series
switch). It provides a port (physical or logical) for the supplicant system to access
the LAN.
The authentication server system is an entity that provides authentication service
to the authenticator system. Normally in the form of a RADIUS server, the
authentication server system serves to perform AAA (authentication, authorization,
and accounting) . It also stores user information, such as user name, password,
the VLAN a user belongs to, priority, and the ACLs applied.
Following are the four basic concepts related with the above three entities, namely the
PAE, controlled port and uncontrolled port, control direction and control mode.
I. PAE
A PAE (port access entity) is responsible for the implementation of algorithms and
protocol operations in the authentication mechanism.
The authenticator system PAE authenticates supplicant systems through the
authentication server when they log into the LAN and controls the authorizing state of
the controlled ports according to the authentication results.
The supplicant system PAE responds to the authentication requests received from the
authenticator system and submits user authentication information to the authenticator
system. It can also send authentication and disconnection requests to the authenticator
system PAE.
Authenticator system Authenticator system Authenticator system Authenticator system Authenticator system Authenticator system Authenticator system Authenticator system
Services provided by Services provided by Authenticator Authenticator
Servic es pr ovided by Servic es pr ovided by Servic es pr ovided by Servic es pr ovided by Servic es pr ovided by Servic es pr ovided by
authenticator authenticator authenticator authenticator authenticator authenticator authenticator authenticator
Port not authorized Port not authorized Port not authorized Port not authorized Port not authorized Port not authorized Port not authorized Port not authorized
Controlled port Controlled port Controlled port Controlled port
Port under Port under Port under Port under
control control control control
LAN/WLAN LAN/WLAN LAN/WLAN LAN/WLAN LAN/WLAN LAN/WLAN LAN/WLAN LAN/WLAN
1-2
Chapter 1 802.1x Configuration
Authentication Authentication Authentication Authentication Authentication Authentication Authentication Authentication
server system server system server system server system server system server system server system server system
Authentication Authentication
Authenticator PAE Authenticator PAE Authenticator PAE Authenticator PAE Authenticator PAE Authenticator PAE
PAE PAE
Port not Port not Port not Port not
Uncontrolled Uncontrolled Uncontrolled Uncontrolled
Under Under Under Under
port port port port
control control control control
Authentication Authentication Authentication Authentication Authentication Authentication
server server
server server server server server server