Operation Manual – SecurityH3C S9500 Series Routing Switches Chapter 1 802.1x Configuration1-2is to be encapsulated in the packets of other AAA upper layer protocols (e.g. RADIUS)so as to go through the complicated network to reach the Authentication Server. Suchprocedure is called EAP Relay.There are two types of ports for the Authenticator. One is the Uncontrolled Port, and theother is the Controlled Port. The Uncontrolled Port is always in bi-directional connectionstate. The user can access and share the network resources any time through the ports.The Controlled Port will be in connecting state only after the user passes theauthentication. Then the user is allowed to access the network resources.Supplicant AuthenticatorPAEAuthenticatorServerSupplicantSystemAuthenticator System AuthenticatorServerSystemEAP protocolexchangescarried inhigher layerprotocolEAPoLControlledPortPortunauthorizedLANUncontrolledPortServicesofferedbyAuthenticatorsSystemFigure 1-1 802.1x system architecture1.1.3 802.1x Authentication Process802.1x configures EAP frame to carry the authentication information. The Standarddefines the following types of EAP frames:z EAP-Packet: Authentication information frame, used to carry the authenticationinformation.z EAPoL-Start: Authentication originating frame, actively originated by theSupplicant.z EAPoL-Logoff: Logoff request frame, actively terminating the authenticated state.z EAPoL-Key: Key information frame, supporting to encrypt the EAP packets.z EAPoL-Encapsulated-ASF-Alert: Supports the Alerting message of Alert StandardForum (ASF).The EAPoL-Start, EAPoL-Logoff and EAPoL-Key only exist between the Supplicantand the Authenticator. The EAP-Packet information is re-encapsulated by theAuthenticator System and then transmitted to the Authentication Server System. TheEAPoL-Encapsulated-ASF-Alert is related to the network management information andterminated by the Authenticator.
