Download 3Com Switch 4210 Configuration Guide

212
CHAPTER 17: 802.1X CONFIGURATION
supplicant system. Note that the client program must support extensible
authentication protocol over LAN (EAPoL).
■
The authenticator system is another entity residing at one end of a LAN
segment. It authenticates the connected supplicant systems. The authenticator
system is usually an 802.1x-supported network device (such as a 3Com series
switch). It provides the port (physical or logical) for the supplicant system to
access the LAN.
■
The authentication server system is an entity that provides authentication
service to the authenticator system. Normally in the form of a RADIUS server,
the authentication server system serves to perform AAA (authentication,
authorization, and accounting) services to users. It also stores user information,
such as user name, password, the VLAN a user belongs to, priority, and the
ACLs (access control list) applied.
The four basic concepts related to the above three entities are PAE, controlled port
and uncontrolled port, the valid direction of a controlled port and the way a port is
controlled.
PAE
A PAE (port access entity) is responsible for implementing algorithms and
performing protocol-related operations in the authentication mechanism.
■
The authenticator system PAE authenticates the supplicant systems when they
log into the LAN and controls the status (authorized/unauthorized) of the
controlled ports according to the authentication result.
■
The supplicant system PAE responds to the authentication requests received
from the authenticator system and submits user authentication information to
the authenticator system. It also sends authentication requests and
disconnection requests to the authenticator system PAE.
Controlled port and uncontrolled port
The Authenticator system provides ports for supplicant systems to access a LAN.
Logically, a port of this kind is divided into a controlled port and an uncontrolled
port.
■
The uncontrolled port can always send and receive packets. It mainly serves to
forward EAPoL packets to ensure that a supplicant system can send and receive
authentication requests.
■
The controlled port can be used to pass service packets when it is in authorized
state. It is blocked when not in authorized state. In this case, no packets can
pass through it.
■
Controlled port and uncontrolled port are two properties of a port. Packets
reaching a port are visible to both the controlled port and uncontrolled port of
the port.
The valid direction of a controlled port
When a controlled port is in unauthorized state, you can configure it to be a
unidirectional port, which sends packets to supplicant systems only.
By default, a controlled port is a unidirectional port.