Operation Manual – 802.1xH3C S7500 Series Ethernet Switches Chapter 1 802.1x Configuration1-3II. Controlled port and uncontrolled portThe authenticator system provides ports for supplicant systems to access a LAN. A portof this kind is divided into two virtual ports: a controlled port and an uncontrolled port.z The uncontrolled port can always send and receive packets. It mainly serves toforward EAPoL packets to ensure that a supplicant system can makeauthentication requests or be authenticated.z The controlled port can be used to pass service packets when it is in authorizedstate. However, It is disconnected when the controlled port is not in authorizedstate. In this case, no packets can pass through the controlled port.z Controlled port and uncontrolled port are two parts of a port. Packets arriving theport are visible to both the controlled port and the uncontrolled port.III. Control directionIn unauthorized state, the controlled port can be set to a unidirectionally controlled port,which is allowed to send packets to supplicant systems only.By default, a controlled port is a unidirectionally controlled port.IV. Control modeFor port control, two ways are supported:z Port-based authentication. In this mode, all the supplicant systems connected tothe physical port can access the network without being authenticated after one ofthem passes authentication. Similarly, when one of authenticated supplicantsystems goes offline, the others are denied.z MAC address-based authentication. All supplicant systems connected to thephysical port have to be authenticated individually in order to access the network.And when a supplicant system goes offline, the others are not affected.1.1.2 802.1x Authentication MechanismIEEE 802.1x authentication system uses extensible authentication protocol (EAP) as ameans of exchanging authentication information between the supplicant system andthe authentication server.Supplicant systemPAEAuthenticatorSystem PAEEAPoLEAP/PAP/CHAP exchangescarried by RADIUS protocolSupplicant systemPAEAuthenticatorSystem PAE Authentication serverEAP/PAP/CHAP exchangescarried by RADIUS protocolSupplicant systemPAEAuthenticatorSystem PAE Authentication serverEAPoLEAP/PAP/CHAP exchangescarried by RADIUS protocolSupplicant systemPAEAuthenticatorSystem PAE Authentication serverAuthentication serverEAP/PAP/CHAP exchangescarried by RADIUS protocolFigure 1-2 802.1x authentication mechanismz Between the supplicant system and the authenticator system, EAP protocolpackets are encapsulated in EAPoL packets and transmitted over the LAN.z Between the authenticator system PAE and the RADIUS server, EAP protocolpackets can either be encapsulated in EAPoR (EAP over RADIUS) packets or be