Controlled port and uncontrolled port, The valid direction of a controlled port, The way a port is controlled – H3C Technologies H3C S3100 Series Switches User Manual

1-2

stores user information, such as user name, password, the VLAN a user belongs to, priority, and

the ACLs (access control list) applied.

The four basic concepts related to the above three entities are PAE, controlled port and uncontrolled

port, the valid direction of a controlled port and the way a port is controlled.

PAE

A PAE (port access entity) is responsible for implementing algorithms and performing protocol-related

operations in the authentication mechanism.

z

The authenticator system PAE authenticates the supplicant systems when they log into the LAN

and controls the status (authorized/unauthorized) of the controlled ports according to the

authentication result.

z

The supplicant system PAE responds to the authentication requests received from the

authenticator system and submits user authentication information to the authenticator system. It

also sends authentication requests and disconnection requests to the authenticator system PAE.

Controlled port and uncontrolled port

The Authenticator system provides ports for supplicant systems to access a LAN. Logically, a port of

this kind is divided into a controlled port and an uncontrolled port.

z

The uncontrolled port can always send and receive packets. It mainly serves to forward EAPoL

packets to ensure that a supplicant system can send and receive authentication requests.

z

The controlled port can be used to pass service packets when it is in authorized state. It is blocked

when not in authorized state. In this case, no packets can pass through it.

z

Controlled port and uncontrolled port are two properties of a port. Packets reaching a port are

visible to both the controlled port and uncontrolled port of the port.

The valid direction of a controlled port

When a controlled port is in unauthorized state, you can configure it to be a unidirectional port, which

sends packets to supplicant systems only.

By default, a controlled port is a unidirectional port.

The way a port is controlled

A port of an H3C series switch can be controlled in the following two ways.

z

Port-based authentication. When a port is controlled in this way, all the supplicant systems

connected to the port can access the network without being authenticated after one supplicant

system among them passes the authentication. And when the authenticated supplicant system

goes offline, the others are denied as well.

z

MAC address-based authentication. All supplicant systems connected to a port have to be

authenticated individually in order to access the network. And when a supplicant system goes

offline, the others are not affected.

The Mechanism of an 802.1x Authentication System

IEEE 802.1x authentication system uses the extensible authentication protocol (EAP) to exchange

information between supplicant systems and the authentication servers.