1-3Controlled port and uncontrolled portThe authenticator system provides ports for supplicant systems to access a LAN. Logically,a port of this kind is divided into a controlled port and an uncontrolled port.z The uncontrolled port can always send and receive packets. It mainly serves to forwardEAPoL packets to ensure that a supplicant system can send and receive authenticationrequests.z The controlled port can be used to pass service packets when it is in authorized state.It is blocked when not in authorized state. In this case, no packets can pass through it.z Controlled port and uncontrolled port are two properties of a port. Packets reaching aport are visible to both the controlled port and uncontrolled port of the port.The valid direction of a controlled portWhen a controlled port is in unauthorized state, you can configure it to be a unidirectionalport, which sends packets to supplicant systems only.By default, a controlled port is a unidirectional port.The way a port is controlledA port of a H3C series switch can be controlled in the following two ways.z Port-based authentication. When a port is controlled in this way, all the supplicantsystems connected to the port can access the network without being authenticatedafter one supplicant system among them passes the authentication. And when theauthenticated supplicant system goes offline, the others are denied as well.z MAC-based authentication. All supplicant systems connected to a port have to beauthenticated individually in order to access the network. And when a supplicantsystem goes offline, the others are not affected.The Mechanism of an 802.1x Authentication SystemIEEE 802.1x authentication system uses the Extensible Authentication Protocol (EAP) toexchange information between the supplicant system and the authentication server.Figure 1-2 The mechanism of an 802.1x authentication systemz EAP protocol packets transmitted between the supplicant system PAE and theauthenticator system PAE are encapsulated as EAPoL packets.z EAP protocol packets transmitted between the authenticator system PAE and theRADIUS server can either be encapsulated as EAP over RADIUS (EAPoR) packets orbe terminated at system PAEs. The system PAEs then communicate with RADIUSservers through Password Authentication Protocol (PAP) or Challenge-HandshakeAuthentication Protocol (CHAP) packets.z When a supplicant system passes the authentication, the authentication server passesthe information about the supplicant system to the authenticator system. Theauthenticator system in turn determines the state (authorized or unauthorized) of the