Authenticators are traffic cops. In fact, they operate in the same manner as a dynamic firewall. If you are unauthenticated, they won't let any of your traffic through except 802.1x messages. After you authenticate, your traffic is permitted. All of this is accomplished using two virtual ports: a controlled port and an uncontrolled port (Figure 6.2). The uncontrolled port is used solely by the authenticator to communicate with the authentication server. The controlled port begins in an unauthorized state, which blocks all traffic. After the client is authenticated, the controlled port is changed to an authorized state and network traffic is allowed through.