RADIUS is the glue between a Catalyst switch and Cisco ISE in 802.1X. Here is how the Access-Request carries EAP, why UDP 1812/1813 matters, and where failures surface.
EAPOL carries EAP between the supplicant and switch at Layer 2. It never leaves the segment, which is why captures and debug have to happen on or at the port.
EAP is a framework, not a protocol. Compare EAP-TLS, PEAP-MSCHAPv2, EAP-FAST, and EAP-TTLS by credential type, tunnel, and where each belongs in enterprise 802.1X.
802.1X splits work across three roles: supplicant, authenticator, and authentication server. Understanding the boundaries explains both the config and the failure points.
802.1X is port-based network access control. It forces a device to authenticate before the switch forwards traffic, closing the wall-jack gap in modern enterprise networks.
MAB authenticates printers, cameras, and legacy gear that cannot run a supplicant by using their MAC as the RADIUS username. Here is the Cisco IOS XE and ISE config.
EAP-TLS replaces 802.1X passwords with mutual certificate auth. Here is the PKI prep, ISE policy, and IOS XE config you need for a production certificate-based rollout.
PEAP-MSCHAPv2 protects the credential exchange inside a TLS tunnel against an ISE server certificate. Here is the full Cisco ISE and IOS XE config for AD users.
The ISE side of 802.1X: network devices, identity sources, authentication and authorization policies, and the Policy Set that ties it all together for a Catalyst 9300.
A complete 802.1X switchport config on IOS XE 17.9: AAA, RADIUS servers, dot1x system-auth-control, interface policy-map, and the voice VLAN gotchas to avoid.
The 802.1X authentication flow, step by step, from EAPOL-Start through RADIUS Access-Accept and port authorization. Three conversations, one timeline, no magic.
Cisco ISE is more than a RADIUS server. It is the policy decision point for 802.1X, layering device type, posture, and context on top of pass/fail authentication.
