QTECH QSW-2800 Инструкция по настройке User Manual

+7(495) 797-3311 www.qtech.ru
Москва, Новозаводская ул., 18, стр. 1

282

The Authentication Structure of 802.1x

The supplicant system is an entity on one end of the LAN segment, should be authenticated by

the access controlling unit on the other end of the link. A Supplicant system usually is a user

terminal device. Users start 802.1x authentication by starting supplicant system software. A

supplicant system should support EAPOL (Extensible Authentication Protocol over LAN).

The authenticator system is another entity on one end of the LAN segment to authenticate the

supplicant systems connected. An authenticator system usually is a network device supporting

802,1x protocol, providing ports to access the LAN for supplicant systems. The ports provided

can either be physical or logical.

The authentication server system is an entity to provide authentication service for authenticator

systems. The authentication server system is used to authenticate and authorize users, as well

as does fee-counting, and usually is a RADIUS (Remote Authentication Dial-In User Service)

server, which can store the relative user information, including username, password and other

parameters such as the VLAN and ports which the user belongs to.

The three entities above concerns the following basic concepts: PAE of the port, the controlled

ports and the controlled direction.

1. PAE

PAE (Port Access Entity) is the entity to implement the operation of algorithms and protocols.

The PAE of the supplicant system is supposed to respond the authentication request from the
authenticator systems and submit user’s authentication information to the authenticator

system. It can also send authentication request and off-line request to authenticator.

The PAE of the authenticator system authenticates the supplicant systems needing to access

the LAN via the authentication server system, and deal with the authenticated/unauthenticated

state of the controlled port according to the result of the authentication. The authenticated state

means the user is allowed to access the network resources, the unauthenticated state means

only the EAPOL messages are allowed to be received and sent while the user is forbidden to

access network resources.

2. controlled/uncontrolled ports

The authenticator system provides ports to access the LAN for the supplicant systems. These

ports can be divided into two kinds of logical ports: controlled ports and uncontrolled ports.

The uncontrolled port is always in bi-directionally connected status, and mainly used to

transmit EAPOL protocol frames, to guarantee that the supplicant systems can always send or

receive authentication messages.

The controlled port is in connected status authenticated to transmit service messages. When

unauthenticated, no message from supplicant systems is allowed to be received.

The controlled and uncontrolled ports are two parts of one port, which means each frame

reaching this port is visible on both the controlled and uncontrolled ports.