Labs

Lab sec-08 - 802.1X Port-Based Authentication (Switch Side)

Lab sec-08 - 802.1X Port-Based Authentication (Switch Side)
Table of Contents

802.1X is the IEEE standard for port-based network access control. A switch port stays closed until the device on the other end authenticates - typically via RADIUS through Cisco ISE or similar. Once authenticated, the port opens with the user's VLAN and policies. This lab configures the AUTHENTICATOR side (the switch) on SW1; the supplicant (host) and authentication server (RADIUS) sides are out of scope for CML Free.

What you will learn

  • The three roles in 802.1X: supplicant, authenticator, authentication server
  • How to configure a switch port as an authenticator
  • The dot1x port-control modes: auto, force-authorized, force-unauthorized
  • What you would see in show output (with caveats for the ioll2-xe image)

What this lab does NOT cover

  • Cisco ISE or alternative RADIUS server configuration
  • Supplicant configuration (Windows native, wpa_supplicant on Linux)
  • MAB (MAC Authentication Bypass)
  • Web authentication fallback

Topology

Download the CCNA Base Topology .yaml

3 iol-xe routers + 1 alpine + 1 ioll2-xe managed switch.

Download CCNA Base Topology

The three roles

Supplicant
Who plays itEnd host (PC, phone)
What they do
Sends 802.1X credentials when challenged
Authenticator
Who plays itSwitch port (this lab)
What they do
Proxies credentials between supplicant and RADIUS
Authentication Server
Who plays it
RADIUS server (Cisco ISE typically)
What they do
Validates credentials; returns success + VLAN/policy or failure
Written by
More from Ping Labz
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ping Labz.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.