1-2
Architecture of 802.1X
802.1X operates in the typical client/server model and defines three entities: client, device, and server,
as shown in
Figure 1-1
.
Figure 1-1
Architecture of 802.1X
z
Client: An entity to be authenticated by the device residing on the same LAN. A client is usually a
user-end device and initiates 802.1X authentication through 802.1X client software supporting the
EAP over LANs (EAPOL) protocol.
z
Device: The entity that authenticates connected clients residing on the same LAN. A device is
usually an 802.1X-enabled network device and provides ports (physical or logical) for clients to
access the LAN.
z
Server: The entity providing authentication, authorization, and accounting services for the device.
The server usually runs the Remote Authentication Dial-in User Service (RADIUS).
Authentication Modes of 802.1X
The 802.1X authentication system employs the Extensible Authentication Protocol (EAP) to exchange
authentication information between the client, device, and authentication server.
z
Between the client and the device, EAP protocol packets are encapsulated using EAPOL to be
transferred on the LAN.
z
Between the device and the RADIUS server, EAP protocol packets can be handled in two modes:
EAP relay and EAP termination. In EAP relay mode, EAP protocol packets are encapsulated by
using the EAP over RADIUS (EAPOR) and then relayed to the RADIUS server. In EAP termination
mode, EAP protocol packets are terminated at the device, repackaged in the Password
Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) attributes
of RADIUS packets, and then transferred to the RADIUS server.
Basic Concepts of 802.1X
These basic concepts are involved in 802.1X: controlled port/uncontrolled port, authorized
state/unauthorized state, and control direction.
Controlled port and uncontrolled port
A device provides ports for clients to access the LAN. Each port can be regarded as a unity of two
logical ports: a controlled port and an uncontrolled port.
z
The uncontrolled port is always open in both the inbound and outbound directions to allow EAPOL
protocol frames to pass, guaranteeing that the client can always send and receive authentication
frames.
z
The controlled port is open to allow data traffic to pass only when it is in the authorized state.
z
The controlled port and uncontrolled port are two parts of the same port. Any frames arriving at the
port are visible to both of them.