802.1X is the IEEE standard that turns a switch port into an authentication gateway. Plug a laptop into a port, and instead of getting an IP and reaching the network, the port challenges the device for credentials first. If the credentials check out, the port opens. If they do not, the port stays closed or drops the device into a quarantine VLAN. This post walks through the end-to-end flow with real show authentication sessions output, the three players involved, and the protocol exchange that ties them together.
For the cluster overview, see the 802.1X complete guide. For ACL syntax on a parallel security plane, the Cisco ASA pillar covers the firewall-side perspective.
The three roles in 802.1X
Every 802.1X conversation involves three named actors. The names matter because every Cisco command, every debug, and every RADIUS attribute references one of them.
| Role | Who plays it | What it does |
|---|---|---|
| Supplicant | The endpoint (laptop, IP phone, printer, IoT device) | Sends its identity and credentials when the switch asks |
| Authenticator | The switch port (or wireless AP/WLC) | Sits between supplicant and authentication server. Forwards EAP messages. Enforces the port state. |
| Authentication server | RADIUS server (ISE, FreeRADIUS, NPS) | Validates credentials. Returns Access-Accept or Access-Reject. Optionally returns dynamic VLAN, ACL, or SGT. |
The switch is the only component that actually controls port forwarding. The RADIUS server makes the decision; the switch enforces it.
The end-to-end flow
From the moment a device plugs in to the moment traffic starts flowing, the sequence is:
- Link comes up. The switch port is in unauthorized state. Only EAPoL frames are allowed through. Everything else is dropped.
- Switch sends EAP-Request/Identity. The switch periodically asks "who are you?" via an EAPoL frame to the multicast destination 01:80:C2:00:00:03.
- Supplicant responds with EAP-Response/Identity. The endpoint sends its username (machine name for computer auth, user@domain for user auth).
- Switch wraps the EAP payload in RADIUS and sends to the AAA server. RADIUS Access-Request carrying the EAP-Message attribute.
- EAP method negotiation. The server picks an EAP method (PEAP, EAP-TLS, EAP-FAST). The exchange runs through the switch transparently. The switch never sees the credentials.
- Server returns RADIUS Access-Accept (or Reject). On Accept, the message may carry additional attributes: VLAN assignment (Tunnel-Private-Group-ID), a dACL name (Cisco-AV-Pair), session timeout, reauth timer.
- Switch moves the port to authorized state. Traffic flows. The session is now tracked in the authentication session database.
The minimum viable IOS XE config
This is enough to get one switch port talking 802.1X to a RADIUS server. Add monitor-mode and MAB later.
aaa new-model
!
radius server ISE-PRIMARY
address ipv4 10.10.10.50 auth-port 1812 acct-port 1813
key STRONG_RADIUS_SECRET
!
aaa group server radius ISE
server name ISE-PRIMARY
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
!
dot1x system-auth-control
!
interface GigabitEthernet1/0/10
switchport access vlan 100
switchport mode access
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfastTwo things to notice. First, the mab line enables MAC Authentication Bypass as a fallback for devices (printers, badge readers) that cannot speak 802.1X. The switch first tries dot1x; if the supplicant never answers, it falls back to sending the MAC address as the identity. Second, port-control auto is the line that activates 802.1X. The other options are force-authorized (always open, no auth) and force-unauthorized (always closed). auto is the only one that actually does authentication.
Reading the show output
The single most useful command for 802.1X troubleshooting is show authentication sessions interface Gi1/0/10 details. A successful authentication looks like this:
Switch# show authentication sessions interface Gi1/0/10 details
Interface: GigabitEthernet1/0/10
MAC Address: 0050.56a1.b2c3
IPv6 Address: Unknown
IPv4 Address: 10.10.100.45
User-Name: alex@pinglabz.local
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: 3600s (server), Remaining: 3127s
Common Session ID: 0A0A0A0100000123456789AB
Acct Session ID: 0x0000018C
Handle: 0x4D000001
Current Policy: POLICY_Gi1/0/10
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
Server Policies:
Vlan Group: Vlan: 100
ACS ACL: xACSACLx-IP-CORP_DEFAULT_ACL-5d4f3a2b
Method status list:
Method State
dot1x Authc SuccessTwo lines tell you everything. Status: Authorized means the port is open. Method: dot1x, State: Authc Success means 802.1X authentication (not MAB) succeeded. If you see Method: mab, State: Authc Success, the supplicant either could not speak 802.1X or was too slow, and MAB took over.
Host modes: who can plug in
The interface command authentication host-mode <mode> controls how many devices the port allows after a single successful auth.
| Mode | What it allows | When to use |
|---|---|---|
| single-host (default) | One MAC per port. Any second MAC triggers a violation. | Lockdown deployments. Rare in modern networks. |
| multi-host | One authenticated MAC opens the port for everyone else (no auth required for the rest). | Avoid. Defeats most of the point of 802.1X. |
| multi-domain | One device in the DATA domain plus one in the VOICE domain. Both authenticate. | Standard for desk phones with PCs plugged through them. |
| multi-auth | Every MAC authenticates independently. Each can get its own VLAN/dACL. | Most enterprise deployments. The right default if you do not have a specific reason to choose another mode. |
Common failure modes
When 802.1X breaks, it almost always breaks in one of these ways. The fix and the show command to confirm it are in the same row.
| Symptom | Likely cause | Confirm with |
|---|---|---|
| Port stays in unauthorized state forever | Supplicant has 802.1X disabled (Windows: Wired AutoConfig service stopped) | show authentication sessions interface X shows no method attempted |
| Authentication Failed in logs, supplicant gets reject | Bad credentials, wrong EAP method, certificate trust failure | debug radius authentication on switch; ISE Live Logs |
| Port authorizes but device cannot reach DHCP | Wrong VLAN assigned, dACL blocking DHCP, or switch in monitor-mode | show authentication sessions interface X details for assigned VLAN; show access-list for dACL |
| Auth works for one device, breaks when second device plugs in via the same port | Host-mode set to single-host or multi-domain when you needed multi-auth | show running-config interface X |
| Re-authentication kills active sessions | Server returning a short session-timeout. Periodic re-auth is hitting an unreachable AAA server. | show authentication sessions interface X details for timeout value |
Open vs closed mode (monitor mode)
Production rollouts almost never flip 802.1X to fully enforced on day one. The intermediate state is open mode, also called monitor mode.
interface GigabitEthernet1/0/10
authentication openWith authentication open, the port forwards traffic regardless of authentication status. The switch still runs the 802.1X exchange, still talks to RADIUS, still logs the result, but never blocks anyone. This lets you discover every device on the network, see which ones speak 802.1X, see which fall back to MAB, see which fail entirely, and fix the misbehaving 5% before flipping to closed mode. Most rollouts spend 30 to 90 days in monitor mode.
Key takeaways
802.1X is conceptually simple. A switch port asks for credentials, forwards them to RADIUS, and enforces RADIUS's verdict. The complexity is in the configurations that surround the simple core: which host mode, what fallback for non-supplicant devices, what VLAN assignments, what dACLs, and how to stage the rollout without bricking your network. The minimum viable config above gets you talking to ISE. Everything beyond that is policy.
For the full cluster, see the 802.1X pillar.
