3Com Switch 8800 Configuration Guide
Chapter 39 802.1x Configuration
39-2
is to be encapsulated in the packets of other AAA upper layer protocols (e.g. RADIUS)
so as to go through the complicated network to reach the Authentication Server. Such
procedure is called EAP Relay.
There are two types of ports for the Authenticator. One is the Uncontrolled Port, and the
other is the Controlled Port. The Uncontrolled Port is always in bi-directional connection
state. The user can access and share the network resources any time through the ports.
The Controlled Port will be in connecting state only after the user passes the
authentication. Then the user is allowed to access the network resources.
Supplicant
Authenticator
PAE
Authenticator
Server
Supplicant
System
Authenticator System
Authenticator
Server
System
EAP protocol
exchanges
carried in
higher layer
protocol
EAPoL
Controlled
Port
Port
unauthorized
LAN
Uncontrolled
Port
Services
offered
by
Authenticators
System
Figure 39-1
802.1x system architecture
39.1.3 802.1x Authentication Process
802.1x configures EAP frame to carry the authentication information. The Standard
defines the following types of EAP frames:
z
EAP-Packet: Authentication information frame, used to carry the authentication
information.
z
EAPoL-Start: Authentication originating frame, actively originated by the
Supplicant.
z
EAPoL-Logoff: Logoff request frame, actively terminating the authenticated state.
z
EAPoL-Key: Key information frame, supporting to encrypt the EAP packets.
z
EAPoL-Encapsulated-ASF-Alert: Supports the Alerting message of Alert Standard
Forum (ASF).
The EAPoL-Start, EAPoL-Logoff and EAPoL-Key only exist between the Supplicant
and the Authenticator. The EAP-Packet information is re-encapsulated by the
Authenticator System and then transmitted to the Authentication Server System. The
EAPoL-Encapsulated-ASF-Alert is related to the network management information and
terminated by the Authenticator.