What Is 802.1X? Security Definition
On This Page
Quick Definition
802.1X is like a bouncer at a nightclub who checks your ID before letting you in. It makes sure only authorized devices and users can connect to a network. If your device doesn't have the right credentials, access is blocked. This keeps the network safe from unwanted visitors.
Commonly Confused With
802.1Q is the standard for VLAN tagging, which is used to mark Ethernet frames so that switches can identify which VLAN a frame belongs to. 802.1X is for authentication and access control. One controls network segmentation (802.1Q), the other controls who or what can connect to the network (802.1X). They are often used together: after 802.1X authenticates a device, 802.1Q can be used to place it into a specific VLAN.
A company uses 802.1X to verify an employee's laptop, then the switch uses 802.1Q to place that laptop into the 'Corporate' VLAN.
WPA2-PSK (Pre-Shared Key) is a wireless security mode that uses a single shared password for all devices connecting to a Wi-Fi network. 802.1X (used in WPA2-Enterprise) requires each device to authenticate individually, usually with unique credentials. WPA2-PSK is simpler but less secure because the password can be shared or cracked, granting access to anyone.
A home Wi-Fi network uses WPA2-PSK with one password for the family. A corporate office uses WPA2-Enterprise with 802.1X, so each employee has a unique certificate on their laptop.
MAC address filtering allows or denies network access based on the hardware address of a device's network interface card. 802.1X authenticates using credentials (certificates or passwords) rather than a static identifier. MAC addresses can be easily spoofed by an attacker, making MAC filtering a very weak security control. 802.1X is far more secure because credentials are cryptographically verified.
An old office Wi-Fi used MAC filtering, but an attacker spoofed a known MAC address and gained access. The company upgraded to 802.1X, which stopped the attacker because they did not have a valid certificate.
Must Know for Exams
802.1X is a highly exam-relevant topic for the CompTIA Network+, CompTIA Security+, and Cisco CCNA certifications. Each exam covers it with a different depth and focus, and understanding these nuances is critical for exam success.
For the Network+ exam (N10-009), 802.1X appears primarily under Domain 4: Network Security. The exam objectives specifically mention 802.1X as a method of network access control. You need to understand it as a concept: what it is, its three main components (supplicant, authenticator, authentication server), and how it differs from simpler methods like MAC filtering or pre-shared keys.
Network+ questions may ask you to identify the correct component in a given scenario or to differentiate 802.1X from other security technologies like VPNs or firewalls. You are not expected to know the detailed configuration commands, but you should know the role of RADIUS in 802.
1X and that EAP is the protocol used. For the Security+ exam (SY0-701), 802.1X appears in Domain 3: Security Architecture and Domain 4: Security Operations. Security+ focuses more on the security implications.
You should understand that 802.1X is a form of AAA (Authentication, Authorization, and Accounting) implementation and that it enforces the principle of least privilege at the network edge. Security+ questions might ask you to compare 802.
1X with other access control methods, such as captive portals or NAC agents. You may also see questions about EAP variants, particularly EAP-TLS (which uses certificates) and PEAP (which uses a password inside a TLS tunnel). Security+ also expects you to know that 802.
1X can prevent rogue access points and man-in-the-middle attacks on the wired network. For the CCNA (200-301), 802.1X is a more substantial topic. It is covered under the Network Access domain, which makes up 10-15% of the exam.
CCNA expects you to not only understand the theory but also to be able to configure and troubleshoot 802.1X on Cisco switches. You need to know commands like 'dot1x port-control auto', 'dot1x host-mode multi-auth', and 'aaa new-model'.
You should understand the authentication process in detail: how the switch acts as an authenticator, how EAPoL frames work, and how the RADIUS server interaction happens. CCNA questions often involve troubleshooting scenarios where a device fails to authenticate. You might be asked to identify why a port remains in the unauthorized state, or to interpret show commands like 'show dot1x all detail' or 'show authentication sessions'.
You also need to understand how 802.1X interacts with other features like port security and dynamic VLAN assignment. In all three exams, you will encounter multiple-choice questions, but CCNA also includes simulations and drag-and-drop questions where you must correctly sequence the authentication steps.
Recognizing the scenario where 802.1X is the correct solution, versus other security measures, is a common skill tested. For example, a question might ask: 'An organization wants to ensure that only company-issued laptops can connect to the wired network.
Which technology should be implemented?' The correct answer is 802.1X with certificate-based authentication.
Simple Meaning
Imagine you are trying to enter a secure office building. You can't just walk in through the front door. First, you need to show your ID badge to a security guard at the entrance. The guard checks your badge against a list of approved employees.
If your badge is valid, the guard unlocks the door and lets you in. If your badge is expired or not on the list, you are denied entry. 802.1X works the same way, but for computer networks.
When your computer or phone tries to connect to a company's network, the network switch or Wi-Fi access point acts like the security guard. It asks your device for some form of identification. This identification could be a username and password, a certificate stored on your device, or even a token generated by an app.
The switch then sends that identification information to a central authentication server, which is like a master list of all approved employees. This server checks whether your credentials are correct and whether you are allowed to access the network. If everything checks out, the server tells the switch to open a specific port for your device, and you are granted network access.
If your credentials are wrong or you are not authorized, the server tells the switch to keep the port closed, and you remain blocked. This process happens automatically and quickly, often without the user even noticing. The key idea is that 802.
1X controls access at the very edge of the network, at the point where a device first plugs in or connects wirelessly. This is much more secure than letting any device connect and then trying to police behavior later. It ensures that only known and trusted devices can even begin to communicate on the network.
This prevents unauthorized users from accessing sensitive data, launching attacks, or using network resources without permission. 802.1X is a fundamental building block for modern network security, especially in environments that need to protect sensitive information, such as hospitals, banks, and government agencies.
Full Technical Definition
802.1X is an IEEE standard for port-based Network Access Control (NAC). It operates at the data link layer (Layer 2) of the OSI model and provides an authentication framework that prevents unauthorized devices from gaining access to a local area network (LAN) or wireless LAN (WLAN) until they have successfully authenticated.
The standard was originally designed for wired Ethernet networks but has been widely adopted for wireless networks as well, particularly in the WPA2-Enterprise and WPA3-Enterprise security protocols. The 802.1X architecture consists of three main components: the supplicant, the authenticator, and the authentication server.
The supplicant is the client device that wants to connect to the network, such as a laptop, smartphone, or IoT device. It runs software that handles the authentication process, typically an 802.1X client that is built into the operating system.
The authenticator is the network device that controls physical access to the network, such as a managed Ethernet switch or a wireless access point. The authenticator acts as a gatekeeper, blocking all traffic from the supplicant's port except for Extensible Authentication Protocol over LAN (EAPoL) frames. The authenticator does not perform the actual authentication itself; instead, it relays EAP messages between the supplicant and the authentication server.
The authentication server is typically a RADIUS (Remote Authentication Dial-In User Service) server, such as Cisco ISE, Aruba ClearPass, or Microsoft NPS. The RADIUS server maintains a database of user credentials, device certificates, or other authentication data and validates the supplicant's identity. The authentication process follows the EAP (Extensible Authentication Protocol) framework, which supports multiple authentication methods, including EAP-TLS (certificate-based), EAP-PEAP (password with tunnel), and EAP-TTLS.
During authentication, the supplicant and authentication server exchange EAP messages, which are encapsulated by the authenticator. The authenticator initially places the port in an unauthorized state, allowing only EAPoL traffic. Once the authentication server confirms the supplicant's identity, it sends a RADIUS Access-Accept message to the authenticator.
The authenticator then changes the port state to authorized, and normal network traffic can flow. If authentication fails, the port remains in the unauthorized state, effectively blocking all traffic. 802.
1X can also be used for dynamic VLAN assignment, where the RADIUS server instructs the authenticator to place the supplicant into a specific VLAN based on the user's role or device type. This allows network administrators to enforce segmentation policies dynamically. Another key feature is the ability to use MAB (MAC Authentication Bypass) for devices that do not support 802.
1X, such as printers or IP phones. In MAB, the authenticator uses the device's MAC address as a credential and sends it to the RADIUS server for validation. However, MAB is less secure because MAC addresses can be spoofed.
802.1X is also closely related to the concept of AAA (Authentication, Authorization, and Accounting). The authentication server provides AAA services, ensuring that the supplicant is who it claims to be, determining what resources the supplicant is allowed to access (authorization), and tracking usage for auditing purposes (accounting).
When implemented correctly, 802.1X provides a robust defense against unauthorized network access, man-in-the-middle attacks, and rogue device infiltration. However, it does require careful planning, including certificate management, network device configuration, and user training, to avoid issues such as authentication failures or network outages.
Real-Life Example
Think about a modern apartment building with a secure entry system. Each tenant has a key fob that unlocks the main door and the elevator for their specific floor. When a tenant arrives, they tap their fob on a reader next to the door.
The reader sends the fob's unique ID to a central computer in the building's management office. That computer checks its database to see if the fob belongs to a current tenant whose rent is paid. If everything is good, the computer sends a signal back to the door to unlock it.
The tenant can then enter and use the elevator to reach their floor. If a visitor tries to enter without a fob or with an expired one, the door stays locked. Now, imagine that the office computer also tells the elevator which floors the tenant is allowed to access.
A resident might only be allowed on their own floor and the lobby, while a maintenance worker might be restricted to the basement and service areas. This is very similar to how 802.1X works on a corporate network.
The tenant's key fob is like the credentials on a user's laptop, such as a digital certificate or a username and password. The door reader is like the network switch or access point that asks for authentication. The central computer is the RADIUS server that verifies the credentials.
Just as the building's system can restrict which floors a tenant can access, 802.1X can assign a device to a specific VLAN based on the user's role. For example, an engineer might get access to a technical VLAN, while a salesperson might get access to a guest or sales VLAN.
The key fob system also logs every entry attempt, which serves as an audit trail. Similarly, 802.1X with AAA accounting logs every authentication event, helping IT teams track who accessed the network and when.
If a fob is lost or stolen, the building manager can simply deactivate it in the central database, instantly revoking access. In the same way, if a laptop is stolen, an administrator can revoke its certificate or disable the user's account, and the device will no longer be able to authenticate. This real-life analogy shows how 802.
1X is not just about blocking unauthorized access, but also about managing and controlling access in a flexible, centralized way, just like a modern building's security system.
Why This Term Matters
In today's IT environment, network security threats are everywhere. A disgruntled employee, a careless contractor, or an external attacker with physical access could simply plug a device into an open Ethernet port and gain access to the internal network. Without 802.
1X, any device that physically connects to a network port or connects to a Wi-Fi network with a known password can potentially communicate with other devices, servers, and sensitive data. This is a huge security risk. 802.
1X matters because it enforces a policy of 'trust no device by default.' Every device must prove its identity before it is allowed to send any data beyond authentication messages. This dramatically reduces the attack surface, especially for organizations that have many network ports in public or semi-public areas, such as conference rooms, lobbies, or open office spaces.
It also helps prevent rogue devices, like a malicious Raspberry Pi plugged into a wall jack, from gaining a foothold on the network. Beyond security, 802.1X also enables network segmentation.
By integrating with a RADIUS server and using dynamic VLAN assignment, an organization can automatically place users into the correct network segment based on who they are or what device they are using. For example, a guest can be placed into a guest VLAN with internet access only, while an employee can be placed into a corporate VLAN with access to internal servers. This is much more efficient and secure than manually configuring VLANs on each switch port.
802.1X also supports accounting, which allows IT teams to track network usage for compliance, billing, or forensic purposes. For example, if a security incident occurs, the logs from the RADIUS server can show exactly which user and device were connected to a specific port at a specific time.
This audit trail is invaluable for investigations. Many compliance frameworks, such as PCI DSS, HIPAA, and FedRAMP, require some form of network access control to protect sensitive data. Deploying 802.
1X is a concrete way to meet those requirements. Finally, 802.1X can simplify onboarding for employees. When a new employee receives a company laptop with the right certificate pre-installed, they can simply plug in or connect to Wi-Fi and be authenticated automatically, without needing to enter a password or wait for an administrator to configure a port.
This improves both security and user experience.
How It Appears in Exam Questions
Exam questions about 802.1X appear in several distinct patterns. The first and most common pattern is the definition and component identification question. For example: 'Which of the following is the client device in an 802.
1X implementation?' The correct answer is 'supplicant,' while the distractors might be 'authenticator,' 'RADIUS server,' or 'access point.' To answer these correctly, you must memorize the three roles and their functions.
The second pattern is the protocol question. You might be asked: 'Which protocol is used to carry authentication messages between the supplicant and the authenticator in an 802.1X deployment?'
The answer is 'EAPoL' (Extensible Authentication Protocol over LAN). A more advanced version might ask: 'Which protocol is used between the authenticator and the authentication server?' The answer is 'RADIUS.'
The third pattern is the scenario question where you must choose the best access control method. For instance: 'A company wants to ensure that devices connecting to the network are authenticated using digital certificates. Which technology should they use?'
The correct answer is 802.1X with EAP-TLS. Another scenario might describe a guest network where users need to accept a terms-of-service page before getting internet access; in that case, a captive portal would be the correct solution, not 802.
1X. The fourth pattern is the configuration question, which is very common on the CCNA exam. You might be shown a partial configuration and asked what command is missing. For example: 'An administrator has configured 'dot1x port-control auto' on an interface, but clients still fail to authenticate.
What is the most likely missing configuration?' The answer could be that the RADIUS server is not configured globally under the 'aaa' commands, or that the interface is not in the correct mode. CCNA also uses 'troubleshoot' style multiple-choice questions where you are given a show command output.
For example: 'Based on the output of 'show dot1x all summary', all ports are in the unauthorized state. What is the likely cause?' Possible answers include a misconfigured RADIUS server, a broken authentication path, or an incorrect supplicant configuration.
The fifth pattern is the comparison question. These ask you to differentiate 802.1X from other technologies. For example: 'What is the primary advantage of 802.1X over MAC address filtering?'
The correct answer is that 802.1X authenticates the user or device using credentials, while MAC filtering only checks the MAC address, which can be easily spoofed. The sixth pattern is the security question, especially in Security+.
You might be asked: 'Which type of attack does 802.1X help prevent?' Answer: 'Rogue device connection' or 'Unauthorized network access.' You may also see questions about 802.1X in the context of wireless security, such as: 'Which wireless security standard uses 802.
1X as its authentication framework?' Answer: 'WPA2-Enterprise.' For all question types, remember that 802.1X is about controlling access at the port level, not about encrypting data.
Encryption is handled by other protocols (e.g., WPA2, IPsec). Also, remember that 802.1X requires a RADIUS server; it cannot work with just a local database on the switch or access point (though some devices offer local authentication as a fallback, this is not the standard implementation).
Practise 802.1X Questions
Test your understanding with exam-style practice questions.
Example Scenario
A medium-sized company, TechVault Inc., has 200 employees working in a single office building. The network administrator, Sarah, is concerned about security because anyone who walks into the building can potentially plug a laptop into an Ethernet port in the conference room or a common area.
Currently, all network ports are open by default, meaning that any device that connects gets an IP address and can communicate on the internal network. Sarah decides to implement 802.1X to fix this.
She installs a RADIUS server that runs Microsoft NPS (Network Policy Server). She also configures all the Cisco switches in the building to act as 802.1X authenticators. Each employee's company laptop has a digital certificate installed during the provisioning process.
When an employee, John, comes to work and plugs his laptop into his desk port, the switch initially places that port into an unauthorized state. The switch sends an EAPoL identity request to John's laptop. The laptop, acting as the supplicant, responds with its certificate.
The switch encapsulates this certificate in a RADIUS Access-Request message and sends it to the NPS server. The NPS server checks whether John's certificate is valid, has not expired, and was issued by the company's internal certificate authority. It also checks whether John's user account is active in Active Directory.
Since everything is fine, the NPS server sends a RADIUS Access-Accept message back to the switch, along with a VLAN assignment for the 'Corporate' VLAN. The switch then changes the port state to authorized and dynamically assigns the port to the Corporate VLAN. John can now access the network.
A few days later, a visitor named Alice plugs her personal laptop into the same port. Her laptop does not have a company certificate, so when the switch asks for authentication, the process fails. The switch keeps the port in the unauthorized state, and Alice's laptop never gets an IP address.
Alice cannot access anything. Sarah is happy because the network is now much more secure. However, Sarah also needs to handle devices that cannot use 802.1X, such as a network printer in the supply closet.
She configures the switch port for the printer to use MAC Authentication Bypass (MAB). When the printer connects, the switch learns its MAC address, sends it to the RADIUS server, and the server looks it up in a list of authorized printer MAC addresses. If the MAC is approved, the port is authorized.
This works, but Sarah knows it is less secure because a MAC address can be spoofed. She plans to replace the printer with a newer model that supports 802.1X. This scenario shows how 802.
1X works in a real office environment, solving the problem of unauthorized access while still accommodating legacy devices.
Common Mistakes
Thinking that 802.1X encrypts network traffic.
802.1X is an authentication protocol, not an encryption protocol. It only controls whether a device is allowed to connect. Once the port is authorized, any unencrypted traffic can still be intercepted. Encryption is handled by separate protocols like TLS, WPA2, or IPsec.
Remember that 802.1X is the 'bouncer checking IDs,' not the 'armor protecting data.' Always pair 802.1X with encryption if data confidentiality is needed.
Confusing the roles of the supplicant, authenticator, and authentication server.
Many learners believe the switch or access point performs the actual credential validation. In reality, the switch (authenticator) only relays messages. The authentication server (RADIUS) is the one that checks credentials and makes the allow/deny decision.
Use the mnemonic: 'Supplicant asks, Authenticator relays, Server decides.' The authenticator is just a messenger; it never validates credentials itself.
Assuming 802.1X requires a username and password every time.
While password-based methods like EAP-PEAP exist, 802.1X can also use certificates, tokens, or even MAC addresses (via MAB). The most secure and common enterprise implementation uses machine certificates that authenticate automatically without user interaction.
Understand that 802.1X supports multiple EAP methods. The choice of method depends on security requirements. Certificate-based (EAP-TLS) is the gold standard for security but requires a PKI.
Believing that 802.1X works on unmanaged switches.
802.1X requires the network device to be manageable and support the 802.1X standard. Unmanaged switches do not have the necessary software or configuration capabilities to act as authenticators. They simply forward all traffic regardless of authentication state.
Always verify that switches are managed and support 802.1X. For older or unmanaged hardware, a different access control method (like a NAC appliance inline) might be needed.
Thinking that 802.1X eliminates the need for a firewall.
802.1X only controls access at the edge of the network. Once a device is authenticated, it can communicate on the network according to the VLAN or ACL assigned. It does not inspect traffic, block malware, or prevent internal threats. A firewall is still needed to filter traffic between network segments.
Use 802.1X as the first line of defense for access, but always layer it with other security controls like firewalls, IDS/IPS, and antivirus software.
Exam Trap — Don't Get Fooled
{"trap":"In an exam question, you are told that a wireless network uses WPA2-Enterprise and 802.1X. The question asks what protocol is used to carry the authentication messages between the client and the access point.
The trap answer is 'RADIUS,' but the correct answer is 'EAPoL' (or 'EAP over LAN').","why_learners_choose_it":"Learners often see that 802.1X is associated with RADIUS and assume that RADIUS is the protocol used at every step of the process.
They do not distinguish between the client-to-authenticator leg (EAPoL) and the authenticator-to-server leg (RADIUS).","how_to_avoid_it":"Always visualize the three components. The wireless client communicates with the access point using EAPoL.
The access point then communicates with the RADIUS server using RADIUS. There are two separate protocols. Memorize this: EAPoL is between supplicant and authenticator; RADIUS is between authenticator and authentication server."
Step-by-Step Breakdown
Device connection
A device (supplicant) physically connects to an Ethernet port or associates with a wireless access point. At this point, the switch or access point (authenticator) detects the new link. The port is placed in an 'unauthorized' state, meaning that all traffic except EAPoL frames is blocked.
Identity request
The authenticator sends an EAPoL-Start frame or EAP-Request/Identity frame to the supplicant. This message asks the supplicant to identify itself. The supplicant responds with an EAP-Response/Identity frame that includes its username or other identifying information.
RADIUS Access-Request
The authenticator receives the EAP-Response from the supplicant and encapsulates it into a RADIUS Access-Request packet. This packet is sent to the RADIUS server (authentication server). The packet contains the supplicant's identity and the authenticator's own credentials (shared secret) for server verification.
Authentication server validation
The RADIUS server checks the supplicant's credentials against its database. Depending on the EAP method, this may involve checking a certificate, validating a username and password against Active Directory, or performing a challenge-response exchange. The server may send additional EAP messages through the authenticator to continue the authentication process (e.g., requesting a certificate or a password).
Access-Accept or Access-Reject
If the credentials are valid and the supplicant is authorized, the RADIUS server sends a RADIUS Access-Accept message back to the authenticator. This message may include attributes such as a VLAN ID, a QoS policy, or an ACL to be applied. If authentication fails, the server sends a RADIUS Access-Reject message.
Port authorization
Upon receiving an Access-Accept, the authenticator changes the port state from 'unauthorized' to 'authorized'. The port now allows normal network traffic. The authenticator also applies any dynamic attributes received from the server, such as assigning the port to a specific VLAN. If an Access-Reject was received, the port remains unauthorized, and the device is effectively blocked.
Accounting (optional)
After authorization, the authenticator may send RADIUS Accounting-Start and Accounting-Stop messages to the RADIUS server to track when the session began and ended. This provides an audit trail useful for billing, security monitoring, and compliance.
Practical Mini-Lesson
For IT professionals, implementing 802.1X is rarely a simple 'plug and play' task. It requires careful planning across multiple domains: network infrastructure, identity management, certificate services, and endpoint configuration.
The first and most critical step is to choose the right EAP method. EAP-TLS (Transport Layer Security) is the most secure because it uses certificates on both the client and the server, eliminating the need for passwords that can be phished. However, it requires a Public Key Infrastructure (PKI) to issue and manage certificates, which can be complex and costly.
EAP-PEAP (Protected EAP) is a popular alternative for environments where deploying client certificates is not feasible. With PEAP, the server has a certificate, but the client authenticates using a username and password (often against Active Directory). The password is transmitted inside a TLS tunnel, so it is encrypted.
PEAP is easier to deploy but still vulnerable to credential theft if the server certificate is not properly validated by the client. EAP-TTLS is similar to PEAP but older and less common. Once you have chosen an EAP method, you need to deploy and configure the RADIUS server.
Common choices include Microsoft NPS (Network Policy Server) for Windows shops, Cisco ISE (Identity Services Engine), Aruba ClearPass, and FreeRADIUS (open source). The RADIUS server must be integrated with your identity source, such as Active Directory, LDAP, or a certificate authority. You will create network policies that define which users or devices get which level of access.
For example, you might create a policy that says: 'If a user is in the IT group and the device has a valid certificate, place them in the IT VLAN with full access.' Another policy might say: 'If a device tries to authenticate using MAB and the MAC address is on the approved list, place it in the IoT VLAN with restricted access.' On the network switches and access points, you need to enable 802.
1X globally and on each interface. On a Cisco switch, the basic configuration includes: 'aaa new-model', 'radius server <name>', 'aaa authentication dot1x default group radius', 'dot1x system-auth-control', and then on each interface: 'dot1x port-control auto', 'dot1x host-mode multi-host' (or multi-auth, depending on whether you want to authenticate multiple devices on the same port). For wireless, you will configure the SSID to use WPA2-Enterprise or WPA3-Enterprise and point the access point to the RADIUS server.
One of the biggest challenges in deployment is the supplicant configuration. Each client operating system has its own 802.1X client settings. Windows uses the 'Wired AutoConfig' and 'WLAN AutoConfig' services.
On a domain-joined Windows machine, you can push 802.1X settings via Group Policy, which makes deployment manageable. For non-domain devices, you may need to manually configure the client or use a third-party supplicant.
Common issues include the supplicant not trusting the RADIUS server's certificate (especially if it is self-signed), incorrect EAP method selection, or a mismatch in the server name. Another practical consideration is the fallback mechanism. If the RADIUS server is unreachable, the authenticator can be configured to either deny all access (the most secure option) or allow access (which creates a security gap).
Most organizations configure the authenticator to deny access if the server is down, but this can cause network outages if the server goes offline. To mitigate this, you should deploy redundant RADIUS servers and monitor their health. Legacy devices that cannot support 802.
1X (like some printers, cameras, or medical equipment) need to be handled via MAB or by placing them on a separate, dedicated port or VLAN that does not require authentication. This is often done by configuring a 'guest VLAN' or a 'fallback VLAN' on the switch port. Finally, you must test thoroughly in a pilot group before rolling out to the entire organization.
Start with a few users and devices, monitor the logs, and resolve any authentication failures. Only then should you expand the deployment. After full deployment, ongoing tasks include certificate renewal, monitoring RADIUS logs for unusual activity, and updating policies as the organization changes.
Memory Tip
Think of 802.1X as the three S.A.R.: Supplicant asks, Authenticator relays, Server decides.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
200-301Cisco CCNA →N10-009CompTIA Network+ →SY0-701CompTIA Security+ →220-1102CompTIA A+ Core 2 →XK0-006CompTIA Linux+ →CS0-003CompTIA CySA+ →SC-900SC-900 →SOA-C02SOA-C02 →PCAGoogle PCA →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
Frequently Asked Questions
Is 802.1X only for wireless networks?
No. 802.1X was originally designed for wired Ethernet networks. It is also widely used for wireless networks, especially in enterprise environments as part of WPA2-Enterprise and WPA3-Enterprise.
What is the difference between a captive portal and 802.1X?
A captive portal is a web page that appears when you first connect to a Wi-Fi network, requiring you to log in or accept terms before accessing the internet. It works at Layer 7 (application layer) and does not authenticate the device itself. 802.1X works at Layer 2 (data link layer) and authenticates the device before any network traffic is allowed.
Can I use 802.1X on a home network?
Technically yes, but it is rarely used in home environments because it requires a RADIUS server and managed network equipment, which is more complex and expensive than the simple WPA2-PSK typically used at home.
What is a supplicant?
A supplicant is the software on the client device that handles the 802.1X authentication process. It responds to requests from the authenticator and provides credentials. Most operating systems have a built-in supplicant, such as the Wired AutoConfig service in Windows.
What happens if the RADIUS server goes down?
If the RADIUS server is unreachable, the authenticator (switch or access point) will follow its configured fallback policy. The most secure option is to deny all new authentication attempts, effectively blocking all new devices from connecting. A less secure option is to allow access, which creates a security gap.
Is 802.1X vulnerable to man-in-the-middle attacks?
Properly configured 802.1X with EAP-TLS is resistant to man-in-the-middle attacks because both the client and server present certificates that are validated. However, if EAP-PEAP or EAP-TTLS is used and the client does not validate the server certificate, it can be vulnerable to a rogue RADIUS server or a fake access point.