PLANET XGS3-24042 User Manual

52-2

system should support EAPOL (Extensible Authentication Protocol over LAN).



The authenticator system is another entity on one end of the LAN segment to authenticate the

supplicant systems connected. An authenticator system usually is a network device supporting

802,1x protocol, providing ports to access the LAN for supplicant systems. The ports provided can

either be physical or logical.



The authentication server system is an entity to provide authentication service for authenticator

systems. The authentication server system is used to authenticate and authorize users, as well as

does fee-counting, and usually is a RADIUS (Remote Authentication Dial-In User Service) server,

which can store the relative user information, including username, password and other parameters

such as the VLAN and ports which the user belongs to.

The three entities above concerns the following basic concepts: PAE of the port, the controlled ports and the

controlled direction.

1. PAE

PAE (Port Access Entity) is the entity to implement the operation of algorithms and protocols.



The PAE of the supplicant system is supposed to respond the authentication request from the

authenticator systems and submit user’s authentication information to the authenticator system. It

can also send authentication request and off-line request to authenticator.



The PAE of the authenticator system authenticates the supplicant systems needing to access the

LAN via the authentication server system, and deal with the authenticated/unauthenticated state of

the controlled port according to the result of the authentication. The authenticated state means the

user is allowed to access the network resources, the unauthenticated state means only the EAPOL

messages are allowed to be received and sent while the user is forbidden to access network

resources.

2. controlled/uncontrolled ports

The authenticator system provides ports to access the LAN for the supplicant systems. These ports can be

divided into two kinds of logical ports: controlled ports and uncontrolled ports.



The uncontrolled port is always in bi-directionally connected status, and mainly used to transmit

EAPOL protocol frames, to guarantee that the supplicant systems can always send or receive

authentication messages.



The controlled port is in connected status authenticated to transmit service messages. When

unauthenticated, no message from supplicant systems is allowed to be received.



The controlled and uncontrolled ports are two parts of one port, which means each frame reaching

this port is visible on both the controlled and uncontrolled ports.

3. Controlled direction

In unauthenticated status, controlled ports can be set as unidirectional controlled or bi-directionally controlled.



When the port is bi-directionally controlled, the sending and receiving of all frames is forbidden.



When the port is unidirectional controlled, no frames can be received from the supplicant systems

while sending frames to the supplicant systems is allowed.

Notes: At present, this kind of switch only supports unidirectional control.