1-2Architecture of 802.1x AuthenticationAs shown in Figure 1-1, 802.1x adopts a client/server architecture with three entities: asupplicant system, an authenticator system, and an authentication server system.Figure 1-1 Architecture of 802.1x authenticationz The supplicant system is an entity residing at one end of a LAN segment and isauthenticated by the authenticator system at the other end of the LAN segment. Thesupplicant system is usually a user terminal device. An 802.1x authentication istriggered when a user launches client program on the supplicant system. Note that theclient program must support the extensible authentication protocol over LAN (EAPoL).z The authenticator system is another entity residing at one end of a LAN segment. Itauthenticates the connected supplicant systems. The authenticator system is usuallyan 802.1x-supported network device (such as a H3C series switch). It provides the port(physical or logical) for the supplicant system to access the LAN.z The authentication server system is an entity that provides authentication service tothe authenticator system. Normally in the form of a RADIUS server, the authenticationserver system serves to perform Authentication, Authorization, and Accounting (AAA)services to users. It also stores user information, such as user name, password, theVLAN a user belongs to, priority, and the Access Control Lists (ACLs) applied.The four basic concepts related to the above three entities are PAE, controlled port anduncontrolled port, the valid direction of a controlled port and the way a port is controlled.I. PAEA port access entity (PAE) is responsible for implementing algorithms and performingprotocol-related operations in the authentication mechanism.z The authenticator system PAE authenticates the supplicant systems when they log intothe LAN and controls the status (authorized/unauthorized) of the controlled portsaccording to the authentication result.z The supplicant system PAE responds to the authentication requests received from theauthenticator system and submits user authentication information to the authenticatorsystem. It also sends authentication requests and disconnection requests to theauthenticator system PAE.