Labs

Lab sec-08 - 802.1X Port-Based Authentication (Switch Side)

Lab sec-08 - 802.1X Port-Based Authentication (Switch Side)
Table of Contents

802.1X is the IEEE standard for port-based network access control. A switch port stays closed until the device on the other end authenticates - typically via RADIUS through Cisco ISE or similar. Once authenticated, the port opens with the user's VLAN and policies. This lab configures the AUTHENTICATOR side (the switch) on SW1; the supplicant (host) and authentication server (RADIUS) sides are out of scope for CML Free.

What you will learn

  • The three roles in 802.1X: supplicant, authenticator, authentication server
  • How to configure a switch port as an authenticator
  • The dot1x port-control modes: auto, force-authorized, force-unauthorized
  • What you would see in show output (with caveats for the ioll2-xe image)

What this lab does NOT cover

  • Cisco ISE or alternative RADIUS server configuration
  • Supplicant configuration (Windows native, wpa_supplicant on Linux)
  • MAB (MAC Authentication Bypass)
  • Web authentication fallback

Topology

Download the CCNA Base Topology .yaml

3 iol-xe routers + 1 alpine + 1 ioll2-xe managed switch.

Download CCNA Base Topology

The three roles

RoleWho plays itWhat they do
SupplicantEnd host (PC, phone)Sends 802.1X credentials when challenged
AuthenticatorSwitch port (this lab)Proxies credentials between supplicant and RADIUS
Authentication ServerRADIUS server (Cisco ISE typically)Validates credentials; returns success + VLAN/policy or failure
Written by
More from Ping Labz
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ping Labz.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.