802.1X is the IEEE standard for port-based network access control. A switch port stays closed until the device on the other end authenticates - typically via RADIUS through Cisco ISE or similar. Once authenticated, the port opens with the user's VLAN and policies. This lab configures the AUTHENTICATOR side (the switch) on SW1; the supplicant (host) and authentication server (RADIUS) sides are out of scope for CML Free.
What you will learn
- The three roles in 802.1X: supplicant, authenticator, authentication server
- How to configure a switch port as an authenticator
- The dot1x port-control modes: auto, force-authorized, force-unauthorized
- What you would see in show output (with caveats for the ioll2-xe image)
What this lab does NOT cover
- Cisco ISE or alternative RADIUS server configuration
- Supplicant configuration (Windows native, wpa_supplicant on Linux)
- MAB (MAC Authentication Bypass)
- Web authentication fallback
Topology
Download the CCNA Base Topology .yaml
3 iol-xe routers + 1 alpine + 1 ioll2-xe managed switch.
The three roles
| Role | Who plays it | What they do |
|---|---|---|
| Supplicant | End host (PC, phone) | Sends 802.1X credentials when challenged |
| Authenticator | Switch port (this lab) | Proxies credentials between supplicant and RADIUS |
| Authentication Server | RADIUS server (Cisco ISE typically) | Validates credentials; returns success + VLAN/policy or failure |
