1-2z Between the device and the RADIUS server, EAP protocol packets can be exchanged in twomodes: EAP relay and EAP termination. In EAP relay mode, EAP packets are encapsulated in EAPover RADIUS (EAPOR) packets on the device, and then relayed by device to the RADIUS server.In EAP termination mode, EAP packets are terminated at the device, converted to RADIUSpackets either with the Password Authentication Protocol (PAP) or Challenge HandshakeAuthentication Protocol (CHAP) attribute, and then transferred to the RADIUS server.Basic Concepts of 802.1XThese basic concepts are involved in 802.1X: controlled port/uncontrolled port, authorizedstate/unauthorized state, and control direction.Controlled port and uncontrolled portA device provides ports for clients to access the LAN. Each port can be regarded as a unity of twological ports: a controlled port and an uncontrolled port. Any packets arriving at the port are visible toboth of the logical ports.z The uncontrolled port is always open in both the inbound and outbound directions to allow EAPOLprotocol packets to pass, guaranteeing that the client can always send and receive authenticationpackets.z The controlled port is open to allow data traffic to pass only when it is in the authorized state.Authorized state and unauthorized stateA controlled port can be in either authorized state or unauthorized state, which depends on theauthentication result, as shown in Figure 1-2.Figure 1-2 Authorized/unauthorized state of a controlled portYou can control the port authorization status of a port by setting port authorization mode to one of thefollowing three:z Force-Authorized: Places the port in authorized state, allowing users of the port to access thenetwork without authentication.z Force-Unauthorized: Places the port in unauthorized state, denying any access requests fromusers of the port.z Auto: Places the port in the unauthorized state initially to allow only EAPOL packets to pass, andturns the port into the authorized state to allow access to the network after the users passauthentication. This is the most common choice.