35
device in the LAN. The Client must be installed with client software which supports 802.1x
authentication.
●
Switch is the network device that controls client access in the LAN, which is located between the
Client and Authentication server. The Switch provides LAN access port for customers (physical
port or logical port), and implements authentication upon the connected Client through
interaction with the server.
●
Authentication server is used to implement authentication, authorization and billing, and
generally is a RADIUS (Remote Authentication Dial-In User Service) server. Authentication server
can verify the legality of the Client according to the Client authentication information sent by the
Switch, and inform the device of verification results. Whether it allows client access is decided by
the Device. The role of Authentication server can be replaced by Device in some small-scale
network environment, which means that the Device realizes local authentication, authorization
and billing upon the client.
5.6.2 802.1x Authentication Controlled/Uncontrolled Port
The LAN access ports provided by device for client can be divided into two logical ports which are
controlled port and uncontrolled port. Any frame is sent to the port can be visible on both controlled
port and uncontrolled port.
●
The uncontrolled port is always in the status of bidirectional connection. The port is mainly used
to transmit authentication messages and make sure that the Client can always send or receive
authentication messages.
●
The controlled port is always in the status of bidirectional connection in the authorized status.
The port is mainly used to transmit business message; and is forbidden to receive any messages
from the Client when it is in the unauthorized status.
5.6.3 Trigger Mode of 802.1x Authentication
The 802.1X authentication process can be initiated by the Client or the Switch.
●
Client Active Trigger Mode
◇
Multicast trigger: the Client actively sends authentication request message to the Switch to
trigger authentication, and the destination address of the message is the multicast MAC
address 01-80-C2-00-00-03.
◇
Broadcast trigger: the Client actively sends authentication request message to the Switch to
trigger authentication, and the destination address of the message is the broadcast MAC
address. The mode can solve the problem that the Switch fails to receive authentication
request from the Client because some devices in the network fail to support the multicast
message above.
●
Switch Active Trigger Mode
The mode is used to support the Client that cannot actively send authentication request
message, and there are two types of trigger authentication:
◇
Multicast trigger: The Switch actively sends request message of identity type to trigger
authentication to the Client at regular interval (it is 30 s by default).
◇
Unicast trigger: When the Switch receives unknown message from source MAC address, it will
actively send Identity-typed request message in unicast to the MAC address to trigger
