716 CHAPTER 50: 802.1X CONFIGURATION
Figure 210 Architecture of 802.1x
■ Supplicant system: A system at one end of the LAN segment, which is
authenticated by the authenticator system at the other end. A supplicant
system is usually a user-end device and initiates 802.1x authentication through
802.1x client software supporting the EAP over LANs (EAPOL) protocol.
■ Authenticator system: A system at the other end of the LAN segment, which
authenticates the connected supplicant system. An authenticator system is
usually an 802.1x-enabled network device and provides ports (physical or
logical) for supplicants to access the LAN.
■ Authentication server system: The system providing authentication,
authorization, and accounting services for the authenticator system. The
authentication server, usually a Remote Authentication Dial-in User Service
(RADIUS) server, maintains user information like username, password, VLAN
that the user belongs to, committed access rate (CAR) parameters, priority, and
ACLs.
The above systems involve three basic concepts: PAE, controlled port, control
direction.
PAE
Port access entity (PAE) refers to the entity that performs the 802.1x algorithm and
protocol operations.
■ The authenticator PAE uses the authentication server to authenticate a
supplicant trying to access the LAN and controls the status of the controlled
port according to the authentication result, putting the controlled port in the
state of authorized or unauthorized. In authorized state, the supplicant can
access network resources without authentication; in unauthorized state, the
supplicant can receive and send EAPOL frames rather than accessing network
resources.
■ The supplicant PAE responds to the authentication request of the authenticator
PAE and provides authentication information. The supplicant PAE can also send
authentication requests and logoff requests to the authenticator.
Controlled port and uncontrolled port
An authenticator provides ports for supplicants to access the LAN. Each of the
ports can be regarded as two logical ports: a controlled port and an uncontrolled
port.
Supplicant PAE
Supplicant system
Services offered by
Authenticatorÿs
system
Authenticator
PAE
Authenticator system
Authentication
server system
Authentication
server
EAP protocol
exchanges
carried in
higher layer
protocol
Port
unauthorized
LAN/WLAN
To Next Page
Loading...
