Windows 11 ships with the supplicant software needed to authenticate to an 802.1X-enabled wired network, but none of it works out of the box. The Wired AutoConfig service is stopped by default. Even when you start it, every adapter still needs the Authentication tab enabled per-interface, and the EAP method has to match what your RADIUS server expects. This post walks through both paths to get there: the manual click-through for a lab machine, and the Group Policy version for a fleet.
For the 802.1X protocol fundamentals, see the 802.1X complete guide.
The two pieces Windows needs
Enabling IEEE 802.1X authentication on Windows 11 always comes down to the same two things:
- The Wired AutoConfig service (dot3svc) must be running. This is the supplicant. Without it, the network adapter has no 802.1X stack to draw from.
- The adapter's Authentication tab must be enabled and configured. The tab is hidden until dot3svc is running, which is one of the more confusing parts of the experience.
Get both right and the adapter will start sending EAP-Response/Identity frames the moment the link comes up.
Manual setup: one machine, one adapter
Use this for your lab box or a single user troubleshooting a broken adapter.
Step 1: Start the Wired AutoConfig service
Open an elevated PowerShell:
Set-Service -Name dot3svc -StartupType Automatic
Start-Service -Name dot3svc
Get-Service -Name dot3svcThe last command should report Status as Running. If it does not start, check the System event log for service-control errors. The most common cause is a Group Policy explicitly disabling it.
Step 2: Enable the Authentication tab on the adapter
Open Control Panel > Network and Sharing Center > Change adapter settings. Right-click the Ethernet adapter, choose Properties. You will now see an Authentication tab between General and Sharing. If the tab is still missing, close the dialog and reopen it; the tab is only injected after dot3svc starts.
On the Authentication tab:
- Check Enable IEEE 802.1X authentication
- Set Choose a network authentication method to match your environment. For most enterprise deployments this is Microsoft: Protected EAP (PEAP) or Microsoft: Smart Card or other certificate (EAP-TLS).
- Decide whether to check Remember my credentials for this connection and whether to Fallback to unauthorized network access. In a strict-enforcement environment, leave fallback unchecked.
Step 3: Configure the EAP method
Click the Settings... button next to the EAP method. The dialog that opens depends on which method you chose.
| EAP method | What you configure |
|---|---|
| PEAP (with MS-CHAPv2) | Trusted root CA (your internal CA that signed the RADIUS server cert), server-name validation pattern, inner method (EAP-MSCHAPv2), and whether to automatically use the Windows logon name and password. |
| EAP-TLS | Same trusted-root and server-name settings, plus which user/computer certificate to present (Smart Card vs Certificate Store). |
| EAP-MSCHAPv2 directly | Just the credential auto-use checkbox. No transport encryption inside EAP. Only acceptable if the outer transport (PEAP/TTLS) provides the encryption. |
Step 4: Set Additional Settings for authentication mode
Back on the Authentication tab, click Additional Settings.... Set Specify authentication mode to:
- User authentication if you want only user creds (no machine pre-login auth)
- Computer authentication if you want the machine to auth before any user logs in (useful for GPO push, Windows Update over wired)
- User or computer authentication for the typical "machine first, user when they log in" pattern. This is what most enterprise deployments use.
Step 5: Verify
Disconnect and reconnect the cable. On the switch side, run show authentication sessions interface Gi1/0/X. You should see Status: Authorized and Method: dot1x. On the Windows side, open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > Wired-AutoConfig > Operational. Look for Event ID 15500 (authentication successful).
Fleet setup: Group Policy
For more than a handful of machines, Group Policy is the only sane path. The relevant policy lives in two places.
Service auto-start via GPO
Edit a GPO that applies to your computer OU. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services. Find Wired AutoConfig, double-click, define the policy, and set startup mode to Automatic.
Wired network policy via GPO
Same GPO, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Wired Network (IEEE 802.3) Policies. Right-click and create a new wired network policy.
| Tab | What to set |
|---|---|
| General | Use Windows Wired Auto Config service. Auto-connect. |
| Security | Enable use of IEEE 802.1X. Select the EAP method (PEAP or EAP-TLS). Set Additional Settings authentication mode. Optionally cache user info, enforce 802.1X retry count. |
Once the GPO refreshes (force with gpupdate /force), every machine in scope picks up the policy. New Ethernet adapters inherit it automatically. You do not need to touch individual adapter properties on each machine.
Useful PowerShell for batch checks
To confirm dot3svc is running across a list of machines:
$machines = Get-Content C:\machines.txt
$machines | ForEach-Object {
$status = Get-Service -Name dot3svc -ComputerName $_ -ErrorAction SilentlyContinue
[PSCustomObject]@{
Machine = $_
Status = $status.Status
Mode = $status.StartType
}
} | Format-TableTo dump wired profile settings on a local machine:
netsh lan show profiles
netsh lan show interfacesThe show interfaces output includes the 802.1X authentication state (Authenticated, Authenticating, Held, or Authentication Failed) which is the supplicant-side view of what the switch reports as port status.
Common gotchas
| Symptom | Cause |
|---|---|
| Authentication tab missing from adapter properties | dot3svc not running. Start it, then reopen the properties dialog. |
| "The credentials provided by the server could not be validated" | Server certificate not chained to a trusted root, or server-name validation does not match the RADIUS server's cert CN/SAN. Re-check the PEAP/TLS settings dialog. |
| Authentication works after logon but fails before | Authentication mode set to User authentication only. Change to User or computer authentication so the machine can auth pre-logon. |
| Domain join works but Group Policy never applies on a new machine | No machine authentication path. Either configure Single-Sign-On under the EAP settings, or fall back to MAB on first connect. |
| Authentication succeeds but no IP is assigned | VLAN assignment from RADIUS pointed the port at a VLAN where DHCP is not available. Confirm the VLAN exists and has a relay-agent. |
Key takeaways
Enabling IEEE 802.1X authentication on Windows 11 takes two steps you have to get right: start dot3svc, then configure the adapter's Authentication tab with the EAP method your RADIUS server expects. For more than one or two machines, push both via Group Policy. The most common failure is forgetting to start the service before opening adapter properties, which hides the Authentication tab entirely and makes the feature look broken.
For the protocol-side view of what the switch does with these credentials, see the 802.1X pillar.
