Adjacent Node
Networking, explained. No BS.
IEEE 802.1X
What It Is
IEEE 802.1X provides port-based network access control. A supplicant proves identity to an authenticator, and the authenticator relays EAP to an authentication server, usually RADIUS. In real networks, 802.1X is part of NAC: identity, certificates, posture, dynamic VLANs, downloadable ACLs, MAB fallback, guest access, and operational exception handling.
Roles
| Role | What It Is | Common Device |
|---|---|---|
| Supplicant | Endpoint requesting access | Laptop, phone, printer, IoT device |
| Authenticator | Network device controlling access | Switch port, AP, wireless controller |
| Authentication server | Backend identity decision point | RADIUS/NAC server |
| EAP | Authentication framework | EAP-TLS, PEAP, TEAP, other methods |
| EAPOL | EAP over LAN transport | Client to switch/AP before normal access |
| RADIUS | Backend AAA transport | Authenticator to authentication server |
Modern note: 802.1X does not replace segmentation. It decides access state and can assign policy. VLANs, ACLs, SGTs, firewall rules, and endpoint controls still enforce reachability.
Common Methods
| Method | Credential | Modern Guidance |
|---|---|---|
| EAP-TLS | Client and server certificates | Strong default for managed devices |
| PEAP-MSCHAPv2 | Server cert plus user/password inside tunnel | Still common, but password and cert validation risks matter |
| TEAP | Tunneled EAP with modern chaining options | Useful where supported |
| EAP-TTLS | Server cert plus tunneled inner auth | Common outside some Windows-native environments |
| MAB | MAC address as identity | Fallback only, weak by itself |
| WebAuth / CWA | Web portal | Guest or exception workflows |
Watch out: If clients do not validate the RADIUS server certificate, credential theft becomes much easier. Certificate trust is not optional detail.
EAPOL And EAP
| Item | Values | Notes |
|---|---|---|
| EAPOL Ethernet type | 0x888e |
Used between supplicant and authenticator |
| EAP codes | Request, Response, Success, Failure | Core EAP exchange |
| EAPOL packet types | EAP packet, Start, Logoff, Key | LAN encapsulation |
| 802.1X controlled port | Authorized or unauthorized | Data traffic blocked until access allowed |
| Uncontrolled port | EAPOL allowed | Lets authentication happen before full access |
Typical wired flow:
- Link comes up.
- Switch starts 802.1X or client sends EAPOL-Start.
- Switch requests identity.
- Client responds with identity.
- Switch relays EAP inside RADIUS.
- RADIUS server accepts, rejects, or challenges.
- Switch authorizes the session and applies policy.
Policy Outcomes
| Outcome | What Happens | Use Case |
|---|---|---|
| Permit default VLAN | Port opens in configured access VLAN | Simple deployments |
| Dynamic VLAN | RADIUS assigns VLAN | Role or device segmentation |
| Downloadable ACL | RADIUS assigns ACL | More precise access control |
| Security group tag | Identity tag assigned | TrustSec or policy fabric |
| Guest VLAN | Non-802.1X clients land in guest | Limited fallback |
| Critical auth | Temporary access during RADIUS outage | Availability tradeoff |
| Auth fail VLAN | Failed clients land in restricted VLAN | Remediation or deny path |
| Deny | Session remains unauthorized | Strict control |
Design note: Define failure behavior before rollout. RADIUS outage, certificate expiration, and unknown devices must have intentional outcomes.
Host Modes
| Mode | Behavior | Common Use |
|---|---|---|
| Single-host | One endpoint behind the port | Strict wired access |
| Multi-host | First authorized endpoint opens for others | Rare, risky |
| Multi-domain | One data endpoint plus voice device | Phone plus workstation |
| Multi-auth | Authenticate multiple endpoints individually | Shared access or hub-like cases |
Watch out: Multi-host can open the door for unmanaged devices behind an authenticated client. Use it only with a clear reason.
Cisco IOS/IOS-XE Examples
Global AAA and RADIUS:
aaa new-model
radius server NAC-01
address ipv4 10.10.50.10 auth-port 1812 acct-port 1813
key ExampleRadiusSecret
!
aaa group server radius NAC
server name NAC-01
!
aaa authentication dot1x default group NAC
aaa authorization network default group NAC
aaa accounting dot1x default start-stop group NAC
dot1x system-auth-controlAccess port with 802.1X first, MAB fallback:
interface GigabitEthernet1/0/10
description User access
switchport mode access
switchport access vlan 20
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enableNotes:
- Newer IOS-XE uses
authenticationandaccess-sessionstyle commands; older examples use moredot1xinterface commands. - MAB should be an exception path, not equivalent trust.
- Phones, printers, cameras, and IoT need explicit policy design before enforcement.
- Stage rollouts in monitor or low-impact mode where supported.
Troubleshooting
| Symptom | Check | Likely Cause |
|---|---|---|
| Client never starts auth | Supplicant enabled, EAPOL frames, link state | Client config or driver |
| Switch sends no EAP | Global dot1x, interface control, host mode | Authenticator not enabled |
| RADIUS timeout | Reachability, source interface, shared secret, ports | AAA path broken |
| Cert failure | Client trust store, server cert chain, expiry | PKI issue |
| User auth succeeds but wrong VLAN | RADIUS attributes, policy set order | NAC policy mismatch |
| MAB devices fail | MAC format, endpoint database, profiling | Identity mismatch |
| Random reauth drops | Reauth timer, server health, client behavior | Aggressive timer or AAA instability |
| Phone works, PC fails | Multi-domain, voice VLAN, LLDP/CDP | Host mode or voice policy |
Commands
show authentication sessions
show authentication sessions interface GigabitEthernet1/0/10 details
show dot1x interface GigabitEthernet1/0/10 details
show radius statistics
test aaa group radius user@example.com password legacyExpected clues:
- Session method is dot1x, mab, or webauth as intended.
- Authorization result matches the expected VLAN, ACL, or tag.
- RADIUS server is reachable and accepting requests.
- Failure reason distinguishes reject from timeout.
- Endpoint MAC and identity match the NAC policy.
Watch Out
- Do not enforce 802.1X everywhere before inventorying exception devices.
- Do not treat MAB as strong authentication.
- Do not ignore certificate lifecycle. Expired RADIUS or client certs create outages.
- Do not skip logging and accounting. You need session evidence during incidents.
- Do not leave critical auth or guest fallback broader than needed.
- Do not forget wireless 802.1X and wired 802.1X share concepts but differ operationally.