+7(495) 797-3311 www.qtech.ru
Москва, Новозаводская ул., 18, стр. 1
282
The Authentication Structure of 802.1x
The supplicant system is an entity on one end of the LAN segment, should be authenticated by
the access controlling unit on the other end of the link. A Supplicant system usually is a user
terminal device. Users start 802.1x authentication by starting supplicant system software. A
supplicant system should support EAPOL (Extensible Authentication Protocol over LAN).
The authenticator system is another entity on one end of the LAN segment to authenticate the
supplicant systems connected. An authenticator system usually is a network device supporting
802,1x protocol, providing ports to access the LAN for supplicant systems. The ports provided
can either be physical or logical.
The authentication server system is an entity to provide authentication service for authenticator
systems. The authentication server system is used to authenticate and authorize users, as well
as does fee-counting, and usually is a RADIUS (Remote Authentication Dial-In User Service)
server, which can store the relative user information, including username, password and other
parameters such as the VLAN and ports which the user belongs to.
The three entities above concerns the following basic concepts: PAE of the port, the controlled
ports and the controlled direction.
1. PAE
PAE (Port Access Entity) is the entity to implement the operation of algorithms and protocols.
The PAE of the supplicant system is supposed to respond the authentication request from the
authenticator systems and submit user’s authentication information to the authenticator
system. It can also send authentication request and off-line request to authenticator.
The PAE of the authenticator system authenticates the supplicant systems needing to access
the LAN via the authentication server system, and deal with the authenticated/unauthenticated
state of the controlled port according to the result of the authentication. The authenticated state
means the user is allowed to access the network resources, the unauthenticated state means
only the EAPOL messages are allowed to be received and sent while the user is forbidden to
access network resources.
2. controlled/uncontrolled ports
The authenticator system provides ports to access the LAN for the supplicant systems. These
ports can be divided into two kinds of logical ports: controlled ports and uncontrolled ports.
The uncontrolled port is always in bi-directionally connected status, and mainly used to
transmit EAPOL protocol frames, to guarantee that the supplicant systems can always send or
receive authentication messages.
The controlled port is in connected status authenticated to transmit service messages. When
unauthenticated, no message from supplicant systems is allowed to be received.
The controlled and uncontrolled ports are two parts of one port, which means each frame
reaching this port is visible on both the controlled and uncontrolled ports.
Содержание QSW-2800 series
Страница 189: ...7 495 797 3311 www qtech ru 18 1 175...
Страница 414: ...7 495 797 3311 www qtech ru 18 1 400...