802.1X is the IEEE standard for port-based network access control. A switch port stays closed until the device on the other end authenticates - typically via RADIUS through Cisco ISE or similar. Once authenticated, the port opens with the user's VLAN and policies. This lab configures the AUTHENTICATOR side (the switch) on SW1; the supplicant (host) and authentication server (RADIUS) sides are out of scope for CML Free.
What you will learn
- The three roles in 802.1X: supplicant, authenticator, authentication server
- How to configure a switch port as an authenticator
- The dot1x port-control modes: auto, force-authorized, force-unauthorized
- What you would see in show output (with caveats for the ioll2-xe image)
What this lab does NOT cover
- Cisco ISE or alternative RADIUS server configuration
- Supplicant configuration (Windows native, wpa_supplicant on Linux)
- MAB (MAC Authentication Bypass)
- Web authentication fallback
Topology
Download the CCNA Base Topology .yaml
3 iol-xe routers + 1 alpine + 1 ioll2-xe managed switch.
The three roles
Supplicant
Who plays itEnd host (PC, phone)
What they do
Sends 802.1X credentials when challenged
Authenticator
Who plays itSwitch port (this lab)
What they do
Proxies credentials between supplicant and RADIUS
Authentication Server
Who plays it
RADIUS server (Cisco ISE typically)
What they do
Validates credentials; returns success + VLAN/policy or failure
