802.1X Port Authentication is a critical network access control (NAC) standard that prevents unauthorized devices from connecting to a LAN by requiring authentication at the port level. This chapter covers the full mechanism, including the roles of supplicant, authenticator, and authentication server, the EAP protocol exchange, and configuration best practices. For the N10-009 exam, 802.1X appears in roughly 5-7% of questions, often in the context of network security and wireless security (Objective 4.2). Mastering this topic is essential for understanding how modern enterprise networks enforce access policies.
Jump to a section
A hotel uses key cards for room access. When a guest checks in, the front desk (authentication server) creates a unique key card (credentials) for their room. The guest inserts the card into the door lock (authenticator). The lock reads the card's encrypted data and forwards it to the front desk for verification. The front desk checks if the card is valid, not expired, and authorized for that room. If approved, the lock disengages (port authorized) and the guest can enter. If the card is invalid or expired, the lock remains engaged (port unauthorized). Critically, the door lock itself does not decide access—it simply relays the request to the front desk and enforces the decision. Similarly, 802.1X uses three roles: supplicant (guest), authenticator (door lock), and authentication server (front desk). The authenticator blocks all traffic until the authentication server validates the supplicant's credentials. This prevents unauthorized devices from accessing the network, just as a key card prevents unauthorized entry to a hotel room.
What is 802.1X and Why It Exists
802.1X is an IEEE standard (IEEE 802.1X-2020) for port-based network access control (PNAC). It provides a framework for authenticating devices before granting them access to a network at the data link layer (Layer 2). The primary purpose is to ensure that only authorized devices can connect to a switch port or wireless access point, thereby preventing rogue devices from gaining network access.
Before 802.1X, network access was typically granted based on physical connectivity—if you plugged into a wall jack, you were on the network. This created significant security vulnerabilities. 802.1X solves this by requiring authentication at the port level, using the Extensible Authentication Protocol (EAP) over LAN (EAPoL) for wired networks or EAP over Wireless (EAPoW) for Wi-Fi.
How 802.1X Works Internally
802.1X involves three main components: - Supplicant: The client device seeking network access. It runs 802.1X client software (e.g., built into Windows, macOS, Linux, or third-party). - Authenticator: The network device that enforces access control, typically a switch or wireless access point (AP). It acts as a proxy between the supplicant and the authentication server. - Authentication Server: Usually a RADIUS server (e.g., Cisco ISE, FreeRADIUS, Microsoft NPS) that validates the supplicant's credentials and authorizes access.
The authentication process follows a three-way handshake-like exchange using EAPoL frames (for wired) or EAPoW (for wireless). The authenticator initially places the port in an "unauthorized" state, blocking all traffic except EAPoL frames. The supplicant then initiates authentication by sending an EAPoL-Start frame. The authenticator responds with an EAP-Request Identity, to which the supplicant replies with an EAP-Response Identity containing its identity (e.g., username). The authenticator encapsulates this into a RADIUS Access-Request packet and sends it to the authentication server. The server then challenges the supplicant via the authenticator, using a specific EAP method (e.g., EAP-TLS, PEAP, EAP-FAST). The supplicant and server exchange multiple EAP messages (each encapsulated in RADIUS) until the server either accepts or rejects. If accepted, the server sends a RADIUS Access-Accept, and the authenticator transitions the port to an "authorized" state, allowing normal traffic. If rejected, the port remains unauthorized.
Key Components, Values, Defaults, and Timers
EAPoL EtherType: 0x888E (used for all EAPoL frames).
EAPoL frame types:
- EAPoL-Start (code 0x01) – sent by supplicant to initiate.
- EAPoL-Logoff (code 0x02) – sent by supplicant to terminate session.
- EAPoL-Key (code 0x03) – used for key management (e.g., in wireless).
- EAPoL-Encapsulated-ASF-Alert (code 0x04) – for alerts.
- RADIUS ports: authentication uses UDP 1812 (or 1645 legacy), accounting uses UDP 1813 (or 1646 legacy).
- Default timers on Cisco switches:
- dot1x timeout tx-period – default 30 seconds (time between retransmission of EAP-Request Identity if no response).
- dot1x timeout supp-timeout – default 30 seconds (time to wait for supplicant response to EAP request).
- dot1x timeout server-timeout – default 30 seconds (time to wait for RADIUS server response).
- dot1x max-reauth-req – default 2 (max number of reauthentication attempts).
- Reauthentication: Enabled by default on many switches, with a default period of 3600 seconds (1 hour).
- Port states:
- Unauthorized: Port blocks all traffic except EAPoL frames.
- Authorized: Port allows normal traffic.
- Force-authorized: Port always allows traffic (disables 802.1X).
- Force-unauthorized: Port always blocks traffic (ignores authentication).
Configuration and Verification Commands (Cisco IOS)
To enable 802.1X on a switch port:
interface GigabitEthernet0/1
switchport mode access
authentication port-control auto ! Enables 802.1X (auto = authenticate)
dot1x pae authenticator ! Sets port as authenticator
dot1x timeout tx-period 10 ! Optional: reduce retransmit timeoutGlobal RADIUS server configuration:
radius server RAD-SERVER
address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
key MySecretKeyEnable AAA authentication for 802.1X:
aaa new-model
aaa authentication dot1x default group radiusVerification commands:
show dot1x all ! Summary of all 802.1X interfaces
show dot1x interface gigabitethernet0/1 detail ! Detailed status
show authentication sessions ! Active authenticated sessions
show radius server statistics ! RADIUS server statsInteraction with Related Technologies
MAB (MAC Authentication Bypass): Used as a fallback for devices that do not support 802.1X (e.g., printers, IP phones). The switch sends the device's MAC address as the username/password to the RADIUS server.
Guest VLAN: A VLAN assigned to unauthenticated devices that provides limited access (e.g., internet only).
Critical VLAN: A VLAN assigned when the RADIUS server is unreachable, ensuring devices still get network access.
Dynamic VLAN Assignment: The RADIUS server can return a VLAN ID in the Access-Accept, dynamically placing the port into a specific VLAN.
802.1X and Wireless: In WPA2-Enterprise and WPA3-Enterprise, 802.1X is used for authentication. The authenticator is the AP/controller, and the supplicant is the wireless client. EAP is encapsulated in EAPoW (over 802.11).
802.1X and VoIP: IP phones often have a built-in switch that passes through 802.1X traffic from a PC connected to the phone. The phone itself may authenticate using its own credentials.
Supplicant initiates authentication
When a device connects to an 802.1X-enabled port, the supplicant (client software) sends an EAPoL-Start frame to the authenticator (switch/AP). This frame has EtherType 0x888E and destination MAC address 01:80:C2:00:00:03 (the PAE group address). The authenticator receives this and knows a new device wants to authenticate. If the supplicant does not send EAPoL-Start (e.g., because it is not 802.1X-aware), the authenticator may proactively send an EAP-Request Identity after a timer (tx-period, default 30 seconds).
Authenticator requests identity
The authenticator sends an EAP-Request Identity packet to the supplicant. This is an EAPoL frame with a type of EAP (code 0x00) and a subtype of Request Identity (type 1). The authenticator encapsulates this in an Ethernet frame with source MAC of the switch port and destination MAC of the supplicant. The supplicant must respond within the supp-timeout (default 30 seconds) or the authenticator will retransmit the request up to max-reauth-req times.
Supplicant sends identity response
The supplicant replies with an EAP-Response Identity containing its identity (e.g., username or anonymous string). This is an EAPoL frame with code 0x01 (Response) and type 1 (Identity). The authenticator receives this and creates a RADIUS Access-Request packet. It sets the User-Name attribute (RADIUS attribute 1) to the identity from the EAP response. It also includes the NAS-IP-Address (attribute 4) and NAS-Port (attribute 5). The authenticator sends this to the RADIUS server over UDP port 1812.
Authentication server challenges supplicant
The RADIUS server receives the Access-Request and determines the EAP method to use (e.g., EAP-TLS, PEAP). It sends back a RADIUS Access-Challenge packet containing an EAP-Request (e.g., a TLS certificate request). The authenticator forwards this EAP-Request to the supplicant in an EAPoL frame. The supplicant processes the challenge and responds with an EAP-Response (e.g., its certificate). This exchange may repeat multiple times, with each round trip encapsulated in RADIUS Access-Challenge and Access-Request. The authenticator simply relays these messages; it does not inspect the EAP content.
Server accepts or rejects and port state changes
After the final EAP exchange, the RADIUS server sends either a RADIUS Access-Accept (if authentication succeeds) or Access-Reject (if it fails). An Access-Accept may include attributes like VLAN assignment (Tunnel-Private-Group-ID, attribute 81) or ACL name. The authenticator updates the port state: if Accept, the port transitions to authorized and begins forwarding normal traffic; if Reject, the port remains unauthorized and may be placed in a guest VLAN or blocked entirely. The authenticator also sends an EAP-Success or EAP-Failure to the supplicant to inform it of the result.
Enterprise Scenario 1: Wired Network Access Control
A large enterprise with 10,000 employees uses 802.1X on all access switches to enforce that only company-issued laptops can connect to the internal network. The IT department issues certificates to all laptops via Active Directory Certificate Services. When a laptop is plugged into a cubicle port, the switch (Cisco Catalyst 9300) acts as the authenticator. The laptop's built-in Windows supplicant initiates EAP-TLS authentication. The RADIUS server (Microsoft NPS) validates the laptop's certificate against the CA. If valid, the server returns a VLAN assignment (e.g., VLAN 10 for employees). If a rogue device is plugged in, it cannot authenticate, and the port remains in an unauthorized state. A common issue is misconfigured supplicant settings—if the user selects the wrong EAP method, authentication fails. The network team uses show authentication sessions to troubleshoot failed attempts. Performance is generally not an issue; each authentication takes less than a second. However, during a power outage, many devices reconnecting simultaneously can cause RADIUS server load spikes. To mitigate, the team uses a RADIUS load balancer and sets a reauthentication interval of 12 hours.
Enterprise Scenario 2: Wireless Network with 802.1X
A university campus deploys 802.1X for its Wi-Fi network (WPA2-Enterprise). Students and staff authenticate using their university credentials via PEAP-MSCHAPv2. The wireless controllers (Cisco 9800) act as authenticators, forwarding EAP messages to a Cisco ISE server. Each user is placed into a dynamic VLAN based on their role: students get a restricted VLAN with internet-only access, while faculty get full network access. A common problem is that some older devices do not support PEAP; the IT team enables a separate SSID with WPA2-PSK for legacy devices, but this is a security compromise. To improve user experience, the team implements EAP-FAST with anonymous provisioning. The wireless infrastructure must handle thousands of simultaneous authentications during peak hours. The team monitors RADIUS server performance and uses per-AP client limits to prevent overload.
Scenario 3: Device Authentication with MAB Fallback
A hospital uses 802.1X for all wired ports, but many medical devices (e.g., infusion pumps, patient monitors) do not support 802.1X. The network team configures MAB as a fallback. When a device connects, the switch first attempts 802.1X. If no EAPoL-Start is received within the tx-period, the switch sends the device's MAC address as a RADIUS Access-Request with username and password both set to the MAC. The RADIUS server checks if the MAC is in an allowed list. If yes, it returns an Access-Accept; if no, the port is blocked. This allows non-802.1X devices to be authenticated by MAC address, but it is less secure because MAC addresses can be spoofed. The team mitigates by using port security in conjunction with MAB. A common misconfiguration is forgetting to add the MAC address to the RADIUS server, causing the device to fail authentication and be placed in a guest VLAN with no access to critical systems.
Exam Focus for N10-009 Objective 4.2
The CompTIA Network+ N10-009 exam tests 802.1X under Objective 4.2 (Given a scenario, implement network security). You need to know the three components (supplicant, authenticator, authentication server) and their roles. The exam often asks about the default port states and what happens when authentication fails.
Common Wrong Answers and Why Candidates Choose Them
Wrong: "The authenticator makes the authentication decision." Candidates often assume the switch (authenticator) decides whether to allow access. In reality, the authenticator only relays messages and enforces the decision from the authentication server (RADIUS). The authenticator does not validate credentials.
Wrong: "EAPoL is used for wireless authentication." While EAP is used in wireless, the term "EAPoL" specifically refers to EAP over LAN (wired). For wireless, it's EAPoW (EAP over Wireless). The exam may test this distinction.
Wrong: "802.1X encrypts data traffic." 802.1X only handles authentication; it does not provide encryption. In wireless, encryption is provided by WPA2/WPA3, not 802.1X itself.
Wrong: "The default port state is authorized." The default state for an 802.1X-configured port is unauthorized (blocking all non-EAPoL traffic). Candidates may confuse this with the default administrative state of a switch port (which is usually up/up).
Specific Numbers and Terms to Memorize
EAPoL EtherType: 0x888E
RADIUS ports: authentication UDP 1812, accounting UDP 1813 (or 1645/1646)
Default tx-period: 30 seconds
Default reauthentication interval: 3600 seconds (1 hour)
PAE group MAC: 01:80:C2:00:00:03
Three roles: supplicant, authenticator, authentication server
Port states: unauthorized, authorized, force-authorized, force-unauthorized
Edge Cases and Exceptions
What if the RADIUS server is unreachable? The authenticator can be configured with a critical VLAN or a critical port state (e.g., allow access). The exam may test that the authenticator can apply a fallback policy.
What if the supplicant does not support 802.1X? MAB can be used as a fallback. The switch uses the MAC address as credentials.
What if multiple devices connect through a hub? 802.1X typically works on a per-port basis. If a hub is connected, only one device can authenticate (the first one). The exam may ask about this limitation.
How to Eliminate Wrong Answers
Focus on the roles: the authentication server does the actual authentication, the supplicant provides credentials, and the authenticator enforces. If an answer says the switch (authenticator) validates credentials, it's wrong. Also, remember that 802.1X is Layer 2; it does not involve IP addresses or routing. Any answer mentioning IP configuration as part of 802.1X is likely incorrect.
802.1X involves three roles: supplicant (client), authenticator (switch/AP), and authentication server (RADIUS).
EAPoL EtherType is 0x888E; RADIUS uses UDP ports 1812 (auth) and 1813 (acct).
Default port state is unauthorized (blocking all traffic except EAPoL).
Default reauthentication interval is 3600 seconds (1 hour).
The authenticator does not authenticate; it relays EAP messages and enforces the server's decision.
MAB is a fallback that uses the device MAC address as credentials for non-802.1X devices.
Dynamic VLAN assignment via RADIUS allows placing users into different VLANs based on authentication results.
On exam, remember that 802.1X is Layer 2 and does not provide encryption.
These come up on the exam all the time. Here's how to tell them apart.
802.1X
Uses EAP for authentication; supports multiple methods (TLS, PEAP, etc.)
Provides stronger security via certificates or credentials
Requires supplicant software on client devices
Can assign dynamic VLANs based on user/device identity
More complex to configure and manage
MAC Authentication Bypass (MAB)
Uses MAC address as credentials; no EAP involved
Weak security because MAC addresses can be spoofed
Works with any device (no special client software needed)
Typically uses static VLAN assignment based on MAC
Simple to implement; good fallback for legacy devices
Port-based (wired) 802.1X
Authenticator is a switch; uses EAPoL frames
Port state controls full Layer 2 access
No encryption provided by 802.1X itself
Supplicant typically built into OS (e.g., Windows)
Can use MAB as fallback for non-802.1X devices
Wireless 802.1X (WPA2/WPA3-Enterprise)
Authenticator is an AP/controller; uses EAPoW frames
Authentication is part of 4-way handshake; encryption keys derived
WPA2/WPA3 provides encryption after authentication
Supplicant is the wireless client (e.g., laptop Wi-Fi adapter)
No MAB; alternative is WPA2-PSK for legacy devices
Mistake
802.1X provides encryption for network traffic.
Correct
802.1X only handles authentication (verifying identity). Encryption is a separate function, provided by protocols like WPA2/WPA3 (wireless) or IPsec (VPN). 802.1X can be used to derive encryption keys (e.g., in WPA2-Enterprise), but the standard itself does not encrypt data.
Mistake
The authenticator (switch/AP) decides whether to grant access.
Correct
The authenticator only relays EAP messages and enforces the decision from the authentication server. The actual validation of credentials occurs on the RADIUS server. The authenticator does not have the intelligence to authenticate users.
Mistake
EAPoL is used for both wired and wireless networks.
Correct
EAPoL (EAP over LAN) is specifically for wired Ethernet (IEEE 802.3). For wireless, the equivalent is EAPoW (EAP over Wireless, defined in IEEE 802.11). While both use EAP frames, the encapsulation differs. The exam may test this distinction.
Mistake
802.1X is only for user authentication, not device authentication.
Correct
802.1X can authenticate both users and devices. For example, machine certificates can be used to authenticate a computer before a user logs in. Device authentication is common in enterprise environments using EAP-TLS with machine certificates.
Mistake
If 802.1X fails, the port remains open by default.
Correct
The default behavior is to keep the port in an unauthorized state (blocked) if authentication fails. However, administrators can configure fallback options like guest VLAN or critical VLAN to provide limited access.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
EAP (Extensible Authentication Protocol) is an authentication framework that defines the message formats. EAPoL (EAP over LAN) is the encapsulation of EAP frames in Ethernet frames for wired networks. EAP is the protocol; EAPoL is the transport over wired LAN. For wireless, you have EAPoW. The exam may ask about EAPoL EtherType (0x888E).
Technically, yes, but it's not recommended. 802.1X operates per port. If a hub is connected, multiple devices share the same port, and only one device can authenticate (the first one to respond). This can cause security issues. Switches are preferred because each port is isolated.
If the RADIUS server is unreachable, the authenticator can be configured with a fallback policy, such as a critical VLAN that provides limited access. Alternatively, the port can be set to a critical state that allows access until the server is reachable again. The exam may test that the default behavior is to deny access (port remains unauthorized).
Common EAP methods include EAP-TLS (certificate-based), PEAP (Protected EAP, often with MSCHAPv2), EAP-FAST (Cisco), and EAP-TTLS. EAP-TLS is considered most secure but requires a PKI. PEAP is widely used in Windows environments. The exam may ask which method uses certificates (EAP-TLS).
The RADIUS server can return a VLAN ID in the Access-Accept packet (Tunnel-Private-Group-ID attribute). The authenticator then places the port into that VLAN. This allows dynamic VLAN assignment based on user or device identity. The exam may ask about this feature as a way to segment traffic.
The PAE (Port Access Entity) group MAC address is 01:80:C2:00:00:03. It is a multicast address used for EAPoL frames sent to all 802.1X-capable devices on the LAN segment. The authenticator and supplicant use this address for initial discovery. The exam may test this specific MAC.
'force-authorized' disables 802.1X on the port and always allows traffic (like a normal port). 'auto' enables 802.1X and requires authentication. 'force-unauthorized' always blocks traffic. The exam may ask which state is used for a port that should not authenticate (force-authorized).
You've just covered 802.1X Port Authentication — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?