Operation Manual – 802.1x and System GuardH3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration1-3z The authenticator system PAE authenticates the supplicant systems when theylog into the LAN and controls the status (authorized/unauthorized) of thecontrolled ports according to the authentication result.z The supplicant system PAE responds to the authentication requests received fromthe authenticator system and submits user authentication information to theauthenticator system. It also sends authentication requests and disconnectionrequests to the authenticator system PAE.II. Controlled port and uncontrolled portThe authenticator system provides ports for supplicant systems to access a LAN.Logically, a port of this kind is divided into a controlled port and an uncontrolled port.z The uncontrolled port can always send and receive packets. It mainly serves toforward EAPoL packets to ensure that a supplicant system can send and receiveauthentication requests.z The controlled port can be used to pass service packets when it is in authorizedstate. It is blocked when not in authorized state. In this case, no packets can passthrough it.z Controlled port and uncontrolled port are two properties of a port. Packetsreaching a port are visible to both the controlled port and uncontrolled port of theport.III. The valid direction of a controlled portWhen a controlled port is in unauthorized state, you can configure it to be aunidirectional port, which sends packets to supplicant systems only.By default, a controlled port is a unidirectional port.IV. The way a port is controlledA port of a H3C series switch can be controlled in the following two ways.z Port-based authentication. When a port is controlled in this way, all the supplicantsystems connected to the port can access the network without beingauthenticated after one supplicant system among them passes the authentication.And when the authenticated supplicant system goes offline, the others are deniedas well.z MAC-based authentication. All supplicant systems connected to a port have to beauthenticated individually in order to access the network. And when a supplicantsystem goes offline, the others are not affected.1.1.2 The Mechanism of an 802.1x Authentication SystemIEEE 802.1x authentication system uses the Extensible Authentication Protocol (EAP)to exchange information between the supplicant system and the authentication server.