Operation Manual – 802.1x-HABP-MAC Authentication
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 802.1x Configuration
1-3
II. Controlled port and uncontrolled port
An authenticator provides ports for supplicants to access the LAN. Each of the ports
can be regarded as two logical ports: a controlled port and an uncontrolled port.
z
The uncontrolled port is always open in both the inbound and outbound directions
to allow EAPOL protocol frames to pass, guaranteeing that the supplicant can
always send and receive authentication frames.
z
The controlled port is open to allow normal traffic to pass only when it is in the
authorized state.
z
The controlled port and uncontrolled port are two parts of the same port. Any
frames arriving at the port are visible to both of them.
III. Control direction
In the unauthorized state, the controlled port can be set to deny traffic to and from the
supplicant or just the traffic from the supplicant.
Note:
Currently, the devices support only denying the traffic from the supplicant.
1.1.2 Operation of 802.1x
The 802.1x authentication system employs the Extensible Authentication Protocol
(EAP) to exchange authentication information between the supplicant PAE,
authenticator PAE, and authentication server.
Figure 1-2
Operation of 802.1x
z
Between the supplicant PAE and authenticator PAE, EAP protocol packets are
encapsulated using EAP Encapsulation over LANs and transferred over the LAN.
z
Between the authenticator PAE and authentication server, EAP protocol packets
can be handled in two modes: EAP relay and EAP termination. In EAP relay mode,
EAP protocol packets are encapsulated by using the EAP Encapsulation over
RADIUS (Remote Authentication Dial-In User Service) and then relayed to the
RADIUS server. In EAP termination mode, EAP protocol packets are terminated at
the authenticator PAE, repackaged in the Password Authentication Protocol (PAP)
or Challenge Handshake Authentication Protocol (CHAP) attributes of RADIUS
packets, and then transferred to the RADIUS server.