802.1X

IEEE 802.1X Authentication: The Standard Explained

IEEE 802.1X authentication feature image, PingLabz
Table of Contents
In: 802.1X, Fundamentals

"802.1X" gets used loosely to mean "the thing that makes you log in to the network." That is roughly right, but the precise version is more useful. IEEE 802.1X is a specific standard with a specific job: it is port-based network access control. It decides whether a device gets to use a switch port or a wireless SSID at all, before that device is allowed to send normal traffic. This post explains the standard - the roles it defines, the protocol it uses, and where its responsibilities stop.

For the cluster overview, see the 802.1X and NAC complete guide.

What the standard actually is

IEEE 802.1X is an IEEE standard (current revision 802.1X-2020, widely deployed as 802.1X-2010) titled "Port-Based Network Access Control." The phrase is exact and worth unpacking:

  • Port-based - the unit of control is a port. On a switch that is a physical Ethernet port; on wireless it is the logical association between a client and an access point.
  • Access control - the standard decides whether a device may use that port for general traffic, full stop. It is an allow/deny gate, not a filter.

The core idea: a port starts closed. Before authentication, the only traffic the port will pass is the authentication exchange itself. Everything else is dropped. Authenticate successfully and the port opens for normal traffic. Fail, and it stays closed. This is fundamentally different from a firewall or an ACL, which let traffic flow and then filter it. 802.1X decides whether traffic flows at all.

The three roles

802.1X defines exactly three roles. Every 802.1X deployment is a conversation between them.

Supplicant
What it is
The device wanting on the network - laptop, phone, printer
What it does
Holds the credentials and presents them to be checked
Authenticator
What it is
The switch or wireless access point
What it does
Controls the port; relays the exchange; does not decide the outcome
Authentication server
What it is
A RADIUS server (Cisco ISE, FreeRADIUS, NPS)
What it does
Checks the credentials and makes the actual allow/deny decision

The split that surprises people: the authenticator does not decide anything. The switch is a relay and an enforcer. It carries messages between the supplicant and the server, and it opens or closes the port based on the server's verdict - but it never evaluates a credential itself. The decision lives entirely on the authentication server.

EAPOL: the protocol between supplicant and authenticator

802.1X carries its authentication using EAP, the Extensible Authentication Protocol. Between the supplicant and the authenticator, EAP is transported in a frame format called EAPOL - EAP over LAN. EAPOL is the part 802.1X actually standardizes for the wire.

EAPOL frames have their own EtherType and are the only thing a closed port will pass. Key EAPOL message types include EAPOL-Start (the supplicant announcing it wants to authenticate), EAP-Request/Identity and EAP-Response/Identity, and EAPOL-Logoff.

From the authenticator onward to the authentication server, the EAP messages are repackaged inside RADIUS. So the full path is supplicant to authenticator over EAPOL, then authenticator to server over RADIUS, with the same EAP conversation riding inside both. The authenticator is the translation point between the two transports.

The flow, at a high level

A typical successful authentication runs like this:

  • The port comes up closed. The supplicant sends EAPOL-Start, or the authenticator sends EAP-Request/Identity to prompt it.
  • The supplicant returns its identity. The authenticator wraps it in RADIUS and forwards it to the server.
  • The server and supplicant run an EAP method exchange - the authenticator just relays each message.
  • The server sends RADIUS Access-Accept or Access-Reject.
  • On Accept, the authenticator opens the port. On Reject, it stays closed.

EAP methods: what the standard leaves open

802.1X says "use EAP" but does not mandate which EAP method. The method is the actual credential-checking mechanism, and it is chosen between the supplicant and the server. Common ones include EAP-TLS (mutual certificate authentication, the strongest), PEAP and EAP-TTLS (a server certificate plus an inner username/password), and EAP-FAST. The "Extensible" in EAP is the point - the method is pluggable, which is why 802.1X has stayed relevant as authentication technology evolved.

Where 802.1X stops

It is worth being clear about the boundaries. 802.1X is authentication and access control. It is not encryption of user data - on wired Ethernet the traffic after the port opens is in the clear unless you add MACsec. It does not decide what an authenticated device may reach; that is the job of VLAN assignment, downloadable ACLs, and the broader NAC policy a server like ISE applies. And it does not cover devices that cannot run a supplicant - printers, cameras, badge readers - which need fallbacks like MAC Authentication Bypass. 802.1X is the gate. The rest of network access control is built around it.

Common points of confusion

Does the switch check the password?
No. The switch relays; the RADIUS server decides.
Is 802.1X wired or wireless?
Both. The same standard, the same roles. The authenticator is a switch or an access point.
Does 802.1X encrypt my traffic?
No. It controls access. Encryption is MACsec (wired) or WPA2/WPA3 (wireless).
What about a printer with no supplicant?
Out of scope for pure 802.1X. Use MAC Authentication Bypass as a fallback.
Is EAPOL the same as RADIUS?
No. EAPOL is supplicant-to-authenticator; RADIUS is authenticator-to-server. EAP rides inside both.

Key takeaways

IEEE 802.1X is the standard for port-based network access control: a port starts closed, passes only the authentication exchange, and opens for normal traffic only on success. It defines three roles - the supplicant holding credentials, the authenticator (a switch or access point) enforcing the port state, and the authentication server (RADIUS) making the actual decision. The authenticator never evaluates credentials itself; it relays EAP messages, carried in EAPOL between supplicant and authenticator and in RADIUS onward to the server. The EAP method is deliberately left open. And 802.1X is access control only - encryption, authorization policy, and non-supplicant devices are handled by other mechanisms layered around it.

For the 802.1X cluster, see the 802.1X pillar.

Written by
More from Ping Labz
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ping Labz.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.