3Com 2928 User Guide - Page 357
Basic Concepts of 802.1X, Controlled port and uncontrolled port
UPC - 662705557113
View all 3Com 2928 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 357 highlights
z Between the device and the RADIUS server, EAP protocol packets can be exchanged in two modes: EAP relay and EAP termination. In EAP relay mode, EAP packets are encapsulated in EAP over RADIUS (EAPOR) packets on the device, and then relayed by device to the RADIUS server. In EAP termination mode, EAP packets are terminated at the device, converted to RADIUS packets either with the Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) attribute, and then transferred to the RADIUS server. Basic Concepts of 802.1X These basic concepts are involved in 802.1X: controlled port/uncontrolled port, authorized state/unauthorized state, and control direction. Controlled port and uncontrolled port A device provides ports for clients to access the LAN. Each port can be regarded as a unity of two logical ports: a controlled port and an uncontrolled port. Any packets arriving at the port are visible to both of the logical ports. z The uncontrolled port is always open in both the inbound and outbound directions to allow EAPOL protocol packets to pass, guaranteeing that the client can always send and receive authentication packets. z The controlled port is open to allow data traffic to pass only when it is in the authorized state. Authorized state and unauthorized state A controlled port can be in either authorized state or unauthorized state, which depends on the authentication result, as shown in Figure 1-2. Figure 1-2 Authorized/unauthorized state of a controlled port You can control the port authorization status of a port by setting port authorization mode to one of the following three: z Force-Authorized: Places the port in authorized state, allowing users of the port to access the network without authentication. z Force-Unauthorized: Places the port in unauthorized state, denying any access requests from users of the port. z Auto: Places the port in the unauthorized state initially to allow only EAPOL packets to pass, and turns the port into the authorized state to allow access to the network after the users pass authentication. This is the most common choice. 1-2