Configure Cisco (802.1X) dot1x port Based Authentication for Wired LAN Network

Introduction to 802.1X (dot1x)

This post describes how to configure IEEE 802.1X port‐based authentication on Cisco Switch to prevent unauthorized devices (clients) from gaining access to the network. The IEEE 802.1X standard defines a client‐server‐based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN With 802.1X port‐based authentication, the devices in the network have specific roles.

Fig. dot1x Model







Supplicant – This is often software on a client device such as a PC.

Authenticator – This is often a medium between the client device asking for access
permission and an authentication server. In most cases, this is either a switch or a
wireless access point.

Authentication server -This is a RADIUS database.

Configuring 802.1X (dot1x) Authentication

The section describes how to configure 802.1X port‐based authentication on your

802.1X Configuration Guidelines

• When the 802.1X protocol is enabled, ports are authenticated before any
other Layer 2 feature is enabled.

• The 802.1X protocol is supported on Layer 2 static‐access ports, but it is not
supported on these port types:
1. Trunk port
2. Dynamic ports
3. Dynamic‐access ports
4. EtherChannel port
5. Secure port
6. Switch Port Analyzer (SPAN) destination port

I covered  802.1X configuration for Wired networks below and for  Voice, Wireless Networks and
Non‐Compatible devices in next posts.

Configure Radius Server authentication on Cisco Switch:

!­­­ Enables AAA.
Cisco-switch(config)#aaa new-­model
!­­­ Method list should be default. Otherwise dot1x does not work.
Switch(config)#aaa authentication dot1x default group radius
!­­­ You need authorization & accounting
Switch(config)#aaa authorization network default group radius
Switch(config)#aaa accounting dot1x network start‐stop group radius
!­­­ Sets the IP address of the RADIUS server & key used on the RADIUS server.
Switch(config)#radius-­server host x.x.x.x auth-port 1645 acc-port 1646 key x.x.x.x

Configure 802.1X (dot1x) Port based authentication on Cisco Switch:

­­­ Enables 802.1x on Cisco Switch for PC or Laptop

Cisco‐2950(Config)#dot1x system‐auth‐control

Enable 802.1x on Cisco Switch Interface
Cisco‐2950(Config)#interface fastEthernet 0/24
Cisco‐2950(Config‐if)#switchport mode access
Cisco‐2950(Config‐if)#dot1x port‐control auto
Cisco‐2950(Config‐if)#dot1x reauthentication
Cisco‐2950(Config‐if)#spanning‐tree portfast

Enables 802.1x on Cisco Switch for PC or Laptop

Cisco‐2960(Config)#dot1x system‐auth‐control

Enable 802.1x on Cisco Switch Interface
Cisco‐2960(Config)#interface fastEthernet 0/24
Cisco‐2960(Config‐if)#switchport mode access
Cisco‐2960(Config‐if)#switchport access vlan
Cisco‐2960(Config‐if)#authentication port‐control auto
Cisco‐2960(Config‐if)#authentication periodic
Cisco‐2960(Config‐if)#dot1x pae both
Cisco‐2960(Config‐if)#dot1x timeout tx‐period 3
Cisco‐2960(Config‐if)#spanning‐tree portfast

Configuring 802.1X (dot1x) For Wired Network (Windows XP & Windows 7 )

After configuration done on Cisco Switch, we have enable the dot1X authentication on Windows XP or Windows 7.  In order to enable 802.1X on your Windows workstation, begin by clicking the Windows Start button.
Then, click “Run” on the menu that appears.
Type “services.msc” in the command bar that appears and press Enter.

In the services window, scroll down, and right‐cllick on “Wired AutoConfig“.
Then, select Start from the menu.

Fig. Start dot1x Services in Windows











In order to make sure that the services stay enabled, right‐click on “Wired
AutoConfig’ and select Properties from the menu.

Start Wired AutoConfig on Windows











In the “Wired AutoConfig Properties” window, choose “Automatic” for the
Section titled “Startup type.” Then, click the OK button.

Right‐click on the network icon, which can be located in the bottom right hand
corner of your desktop. Now, select Open Network Connections from the menu.

When the adapter window appears on your screen, right‐click your “Local Area
Connection” and selects Properties from the menu.

Fig.Network Connection Properties











Under the properties window, select the Authentication tab.

Make sure that the Show icon in notification area when connected box is

LAN Properties











Under the Properties window 7, select the Authentication tab.

Fig. Authentication tab











Make sure to select the Enable IEEE 802.1X authentication.

Select PEAP for the network authentication method. Click on the properties

Enable Authentication











Select both the “Enable IEEE 802.1X authentication” and the “Fallback to unauthorized network access.

“’check box – PEAP for the network authentication method (window 7)’

Authentication settings in windows 7











Under the properties window, uncheck the Validate server certificate option.

Validate Server Certifacate











Go to Additional settings (window 7).

additional settings











Check ‘Specify authentication mode’ and select ‘User or computer authentication’, Click OK in this window and the former, and ‘Close’ in thelast, you have now finished configuration.

802.1x settings











After it at the Local Area Connection a Pop-up will generate click on it, this should appear on all O/S, XP an WIN 7.

Network Notification





Logon credentials (windows 7)

Network Authentication











dot1x Login Credentials











Logon credentials (windows xp)

Enter your username and password. Click OK
This might take some time the first time. If it does not appear, try rebooting.
You should now be connected.
Username: ‐ username

Filed Under: LAN Security


About the Author:

RSSComments (6)

Leave a Reply | Trackback URL

  1. Luis says:

    Thanks for sharing! nice post on dot1x port based authentication.

    above complete steps are very useful and easy to understand.

  2. Dana says:

    Your blog post can be awesome. This phenomenal weblog might be terrific. I certainly aspire more consumers study it and find that which you are explaining, given that i will demonstrate, very important data.

  3. Ranjith says:

    Thanks for an additional great post. Carry on the best operate.

  4. Lmao says:

    cheers pal, nicely covered on dot1x authentication for wired LAN network in Cisco Switch.

  5. sofiane says:

    thanks so much brother your post gave me the solution after 3 days of searching
    and the command i forget is (dot1x pea both) on the 2960 switch

  6. girardoo says:

    Interesting thanks
    If i have a l2 switch connected to another switch connected to an asa firewall should i proceed to a modification on asa or just on switch where the computer has supposed to be connected?

Leave a Reply

If you want a picture to show with your comment, go get a Gravatar.