Authentication Mechanism - H3C S7500 Series Operation Manual

Operation Manual – 802.1x
H3C S7500 Series Ethernet Switches
II. Controlled port and uncontrolled port
The authenticator system provides ports for supplicant systems to access a LAN. A port
of this kind is divided into two virtual ports: a controlled port and an uncontrolled port.
The uncontrolled port can always send and receive packets. It mainly serves to
forward EAPoL packets to ensure that a supplicant system can make
authentication requests or be authenticated.
The controlled port can be used to pass service packets when it is in authorized
state. However, It is disconnected when the controlled port is not in authorized
state. In this case, no packets can pass through the controlled port.
Controlled port and uncontrolled port are two parts of a port. Packets arriving the
port are visible to both the controlled port and the uncontrolled port.
III. Control direction
In unauthorized state, the controlled port can be set to a unidirectionally controlled port,
which is allowed to send packets to supplicant systems only.
By default, a controlled port is a unidirectionally controlled port.
IV. Control mode
For port control, two ways are supported:
Port-based authentication. In this mode, all the supplicant systems connected to
the physical port can access the network without being authenticated after one of
them passes authentication. Similarly, when one of authenticated supplicant
systems goes offline, the others are denied.
MAC address-based authentication. All supplicant systems connected to the
physical port have to be authenticated individually in order to access the network.
And when a supplicant system goes offline, the others are not affected.
1.1.2 802.1x Authentication Mechanism
IEEE 802.1x authentication system uses extensible authentication protocol (EAP) as a
means of exchanging authentication information between the supplicant system and
the authentication server.
Supplicant system Supplicant system Supplicant system Supplicant system
PAE PAE PAE PAE
Figure 1-2 802.1x authentication mechanism
Between the supplicant system and the authenticator system, EAP protocol
packets are encapsulated in EAPoL packets and transmitted over the LAN.
Between the authenticator system PAE and the RADIUS server, EAP protocol
packets can either be encapsulated in EAPoR (EAP over RADIUS) packets or be
EAPoL EAPoL
Authenticator Authenticator Authenticator Authenticator
System PAE System PAE System PAE System PAE
1-3
Chapter 1 802.1x Configuration
EAP/PAP/CHAP exchanges EAP/PAP/CHAP exchanges EAP/PAP/CHAP exchanges EAP/PAP/CHAP exchanges
carried by RADIUS protocol carried by RADIUS protocol carried by RADIUS protocol carried by RADIUS protocol
Authentication server Authentication server Authentication server Authentication server