Figure 3, Illu – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

156

Brocade ICX 6650 Security Configuration Guide

53-1002601-01

How 802.1X port security works

FIGURE 3

Controlled and uncontrolled ports before and after client authentication

Before a Client is authenticated, only the uncontrolled port on the Authenticator is open. The
uncontrolled port allows only EAPOL frames to be exchanged between the Client and the
Authentication Server. The controlled port is in the unauthorized state and allows no traffic to pass
through.

During authentication, EAPOL messages are exchanged between the Supplicant PAE and the
Authenticator PAE, and RADIUS messages are exchanged between the Authenticator PAE and the
Authentication Server.Refer to

“Message exchange during authentication”

on page 157 for an

example of this process. If the Client is successfully authenticated, the controlled port becomes
authorized, and traffic from the Client can flow through the port normally.

By default, all controlled ports on the Brocade device are placed in the authorized state, allowing all
traffic. When authentication is activated on an 802.1X-enabled interface, the interface controlled
port is placed initially in the unauthorized state. When a Client connected to the port is successfully
authenticated, the controlled port is then placed in the authorized state until the Client logs off.
Refer to

“Enabling 802.1X port security”

on page 174 for more information.

Authentication

Server

Authentication

Server

802.1X-Enabled

Supplicant

802.1X-Enabled

Supplicant

PAE

PAE

PAE

PAE

Services

Services

Uncontrolled Port

Physical Port

Controlled Port

(Unauthorized)

Uncontrolled Port

Controlled Port

(Authorized)

Physical Port

Before Authentication

After Authentication

Brocade Switch
(Authenticator)

Brocade Switch
(Authenticator)