"802.1X" gets used loosely to mean "the thing that makes you log in to the network." That is roughly right, but the precise version is more useful. IEEE 802.1X is a specific standard with a specific job: it is port-based network access control. It decides whether a device gets to use a switch port or a wireless SSID at all, before that device is allowed to send normal traffic. This post explains the standard - the roles it defines, the protocol it uses, and where its responsibilities stop.
For the cluster overview, see the 802.1X and NAC complete guide.
What the standard actually is
IEEE 802.1X is an IEEE standard (current revision 802.1X-2020, widely deployed as 802.1X-2010) titled "Port-Based Network Access Control." The phrase is exact and worth unpacking:
- Port-based - the unit of control is a port. On a switch that is a physical Ethernet port; on wireless it is the logical association between a client and an access point.
- Access control - the standard decides whether a device may use that port for general traffic, full stop. It is an allow/deny gate, not a filter.
The core idea: a port starts closed. Before authentication, the only traffic the port will pass is the authentication exchange itself. Everything else is dropped. Authenticate successfully and the port opens for normal traffic. Fail, and it stays closed. This is fundamentally different from a firewall or an ACL, which let traffic flow and then filter it. 802.1X decides whether traffic flows at all.
The three roles
802.1X defines exactly three roles. Every 802.1X deployment is a conversation between them.
The split that surprises people: the authenticator does not decide anything. The switch is a relay and an enforcer. It carries messages between the supplicant and the server, and it opens or closes the port based on the server's verdict - but it never evaluates a credential itself. The decision lives entirely on the authentication server.
EAPOL: the protocol between supplicant and authenticator
802.1X carries its authentication using EAP, the Extensible Authentication Protocol. Between the supplicant and the authenticator, EAP is transported in a frame format called EAPOL - EAP over LAN. EAPOL is the part 802.1X actually standardizes for the wire.
EAPOL frames have their own EtherType and are the only thing a closed port will pass. Key EAPOL message types include EAPOL-Start (the supplicant announcing it wants to authenticate), EAP-Request/Identity and EAP-Response/Identity, and EAPOL-Logoff.
From the authenticator onward to the authentication server, the EAP messages are repackaged inside RADIUS. So the full path is supplicant to authenticator over EAPOL, then authenticator to server over RADIUS, with the same EAP conversation riding inside both. The authenticator is the translation point between the two transports.
The flow, at a high level
A typical successful authentication runs like this:
- The port comes up closed. The supplicant sends EAPOL-Start, or the authenticator sends EAP-Request/Identity to prompt it.
- The supplicant returns its identity. The authenticator wraps it in RADIUS and forwards it to the server.
- The server and supplicant run an EAP method exchange - the authenticator just relays each message.
- The server sends RADIUS Access-Accept or Access-Reject.
- On Accept, the authenticator opens the port. On Reject, it stays closed.
EAP methods: what the standard leaves open
802.1X says "use EAP" but does not mandate which EAP method. The method is the actual credential-checking mechanism, and it is chosen between the supplicant and the server. Common ones include EAP-TLS (mutual certificate authentication, the strongest), PEAP and EAP-TTLS (a server certificate plus an inner username/password), and EAP-FAST. The "Extensible" in EAP is the point - the method is pluggable, which is why 802.1X has stayed relevant as authentication technology evolved.
Where 802.1X stops
It is worth being clear about the boundaries. 802.1X is authentication and access control. It is not encryption of user data - on wired Ethernet the traffic after the port opens is in the clear unless you add MACsec. It does not decide what an authenticated device may reach; that is the job of VLAN assignment, downloadable ACLs, and the broader NAC policy a server like ISE applies. And it does not cover devices that cannot run a supplicant - printers, cameras, badge readers - which need fallbacks like MAC Authentication Bypass. 802.1X is the gate. The rest of network access control is built around it.
Common points of confusion
Key takeaways
IEEE 802.1X is the standard for port-based network access control: a port starts closed, passes only the authentication exchange, and opens for normal traffic only on success. It defines three roles - the supplicant holding credentials, the authenticator (a switch or access point) enforcing the port state, and the authentication server (RADIUS) making the actual decision. The authenticator never evaluates credentials itself; it relays EAP messages, carried in EAPOL between supplicant and authenticator and in RADIUS onward to the server. The EAP method is deliberately left open. And 802.1X is access control only - encryption, authorization policy, and non-supplicant devices are handled by other mechanisms layered around it.
For the 802.1X cluster, see the 802.1X pillar.