H3C S9500 Series Operation Manual

Also see for S9500 Series: Operation manual Operation manual Operation manual Operation manual Operating manual

Contents

Operation Manual – SecurityH3C S9500 Series Routing Switches Chapter 1 802.1x Configuration1-1Chapter 1 802.1x Configuration1.1 802.1x Overview1.1.1 802.1x Standard OverviewIEEE 802.1x (hereinafter simplified as 802.1x) is a port-based network access controlprotocol that is used as the standard for LAN user access authentication.In the LANs complying with the IEEE 802 standards, the user can access the devicesand share the resources in the LAN through connecting the LAN access control devicelike the LAN Switch. However, in telecom access, commercial LAN (a typical exampleis the LAN in the office building) and mobile office etc., the LAN providers generallyhope to control the user’s access. In these cases, the requirement on theabove-mentioned “Port Based Network Access Control” originates.As the name implies, “Port Based Network Access Control” means to authenticate andcontrol all the accessed devices on the port of LAN access control device. If the user’sdevice connected to the port can pass the authentication, the user can access theresources in the LAN. Otherwise, the user cannot access the resources in the LAN. Itequals that the user is physically disconnected.802.1x defines port based network access control protocol and only defines thepoint-to-point connection between the access device and the access port. The port canbe either physical or logical. The typical application environment is as follows: Eachphysical port of the LAN Switch only connects to one user workstation (based on thephysical port) and the wireless LAN access environment defined by the IEEE 802.11standard (based on the logical port), etc.1.1.2 802.1x System ArchitectureThe system using the 802.1x is the typical C/S (Client/Server) system architecture. Itcontains three entities, which are illustrated in the following figure: Supplicant System,Authenticator System and Authentication Sever System.The LAN access control device needs to provide the Authenticator System of 802.1x.The devices at the user side such as the computers need to be installed with the 802.1xclient Supplicant software, for example, the 802.1x client provided by S9500 (or byMicrosoft Windows XP). The 802.1x Authentication Sever system normally stays in thecarrier’s AAA center.Authenticator and Authentication Sever exchange information through EAP (ExtensibleAuthentication Protocol) frames. The Supplicant and the Authenticator exchangeinformation through the EAPoL (Extensible Authentication Protocol over LANs) framedefined by IEEE 802.1x. Authentication data are encapsulated in the EAP frame, which