3com 2928 Guida Utente
1-2
z
Between the device and the RADIUS server, EAP protocol packets can be exchanged in two
modes: EAP relay and EAP termination. In EAP relay mode, EAP packets are encapsulated in EAP
over RADIUS (EAPOR) packets on the device, and then relayed by device to the RADIUS server.
In EAP termination mode, EAP packets are terminated at the device, converted to RADIUS
packets either with the Password Authentication Protocol (PAP) or Challenge Handshake
Authentication Protocol (CHAP) attribute, and then transferred to the RADIUS server.
modes: EAP relay and EAP termination. In EAP relay mode, EAP packets are encapsulated in EAP
over RADIUS (EAPOR) packets on the device, and then relayed by device to the RADIUS server.
In EAP termination mode, EAP packets are terminated at the device, converted to RADIUS
packets either with the Password Authentication Protocol (PAP) or Challenge Handshake
Authentication Protocol (CHAP) attribute, and then transferred to the RADIUS server.
Basic Concepts of 802.1X
These basic concepts are involved in 802.1X: controlled port/uncontrolled port, authorized
state/unauthorized state, and control direction.
state/unauthorized state, and control direction.
Controlled port and uncontrolled port
A device provides ports for clients to access the LAN. Each port can be regarded as a unity of two
logical ports: a controlled port and an uncontrolled port. Any packets arriving at the port are visible to
both of the logical ports.
logical ports: a controlled port and an uncontrolled port. Any packets arriving at the port are visible to
both of the logical ports.
z
The uncontrolled port is always open in both the inbound and outbound directions to allow EAPOL
protocol packets to pass, guaranteeing that the client can always send and receive authentication
packets.
protocol packets to pass, guaranteeing that the client can always send and receive authentication
packets.
z
The controlled port is open to allow data traffic to pass only when it is in the authorized state.
Authorized state and unauthorized state
A controlled port can be in either authorized state or unauthorized state, which depends on the
authentication result, as shown in
authentication result, as shown in
.
Figure 1-2
Authorized/unauthorized state of a controlled port
You can control the port authorization status of a port by setting port authorization mode to one of the
following three:
z
Force-Authorized: Places the port in authorized state, allowing users of the port to access the
network without authentication.
network without authentication.
z
Force-Unauthorized: Places the port in unauthorized state, denying any access requests from
users of the port.
users of the port.
z
Auto: Places the port in the unauthorized state initially to allow only EAPOL packets to pass, and
turns the port into the authorized state to allow access to the network after the users pass
authentication. This is the most common choice.
turns the port into the authorized state to allow access to the network after the users pass
authentication. This is the most common choice.