Windows 11 ships with the supplicant software needed to authenticate to an 802.1X-enabled wired network, but none of it works out of the box. The Wired AutoConfig service is stopped by default. Even when you start it, every adapter still needs the Authentication tab enabled per-interface, and the EAP method has to match what your RADIUS server expects. This post walks through both paths to get there: the manual click-through for a lab machine, and the Group Policy version for a fleet.
For the 802.1X protocol fundamentals, see the 802.1X complete guide.
The two pieces Windows needs
Enabling IEEE 802.1X authentication on Windows 11 always comes down to the same two things:
- The Wired AutoConfig service (dot3svc) must be running. This is the supplicant. Without it, the network adapter has no 802.1X stack to draw from.
- The adapter's Authentication tab must be enabled and configured. The tab is hidden until dot3svc is running, which is one of the more confusing parts of the experience.
Get both right and the adapter will start sending EAP-Response/Identity frames the moment the link comes up.
Manual setup: one machine, one adapter
Use this for your lab box or a single user troubleshooting a broken adapter.
Step 1: Start the Wired AutoConfig service
Open an elevated PowerShell:
Set-Service -Name dot3svc -StartupType Automatic
Start-Service -Name dot3svc
Get-Service -Name dot3svcThe last command should report Status as Running. If it does not start, check the System event log for service-control errors. The most common cause is a Group Policy explicitly disabling it.
Step 2: Enable the Authentication tab on the adapter
Open Control Panel > Network and Sharing Center > Change adapter settings. Right-click the Ethernet adapter, choose Properties. You will now see an Authentication tab between General and Sharing. If the tab is still missing, close the dialog and reopen it; the tab is only injected after dot3svc starts.
On the Authentication tab:
- Check Enable IEEE 802.1X authentication
- Set Choose a network authentication method to match your environment. For most enterprise deployments this is Microsoft: Protected EAP (PEAP) or Microsoft: Smart Card or other certificate (EAP-TLS).
- Decide whether to check Remember my credentials for this connection and whether to Fallback to unauthorized network access. In a strict-enforcement environment, leave fallback unchecked.
Step 3: Configure the EAP method
Click the Settings... button next to the EAP method. The dialog that opens depends on which method you chose.
Step 4: Set Additional Settings for authentication mode
Back on the Authentication tab, click Additional Settings.... Set Specify authentication mode to:
- User authentication if you want only user creds (no machine pre-login auth)
- Computer authentication if you want the machine to auth before any user logs in (useful for GPO push, Windows Update over wired)
- User or computer authentication for the typical "machine first, user when they log in" pattern. This is what most enterprise deployments use.
Step 5: Verify
Disconnect and reconnect the cable. On the switch side, run show authentication sessions interface Gi1/0/X. You should see Status: Authorized and Method: dot1x. On the Windows side, open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > Wired-AutoConfig > Operational. Look for Event ID 15500 (authentication successful).
Fleet setup: Group Policy
For more than a handful of machines, Group Policy is the only sane path. The relevant policy lives in two places.
Service auto-start via GPO
Edit a GPO that applies to your computer OU. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services. Find Wired AutoConfig, double-click, define the policy, and set startup mode to Automatic.
Wired network policy via GPO
Same GPO, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Wired Network (IEEE 802.3) Policies. Right-click and create a new wired network policy.
Once the GPO refreshes (force with gpupdate /force), every machine in scope picks up the policy. New Ethernet adapters inherit it automatically. You do not need to touch individual adapter properties on each machine.
Useful PowerShell for batch checks
To confirm dot3svc is running across a list of machines:
$machines = Get-Content C:\machines.txt
$machines | ForEach-Object {
$status = Get-Service -Name dot3svc -ComputerName $_ -ErrorAction SilentlyContinue
[PSCustomObject]@{
Machine = $_
Status = $status.Status
Mode = $status.StartType
}
} | Format-TableTo dump wired profile settings on a local machine:
netsh lan show profiles
netsh lan show interfacesThe show interfaces output includes the 802.1X authentication state (Authenticated, Authenticating, Held, or Authentication Failed) which is the supplicant-side view of what the switch reports as port status.
Common gotchas
Key takeaways
Enabling IEEE 802.1X authentication on Windows 11 takes two steps you have to get right: start dot3svc, then configure the adapter's Authentication tab with the EAP method your RADIUS server expects. For more than one or two machines, push both via Group Policy. The most common failure is forgetting to start the service before opening adapter properties, which hides the Authentication tab entirely and makes the feature look broken.
For the protocol-side view of what the switch does with these credentials, see the 802.1X pillar.