802.1X – Port-Based Network Access Control

1. What Is 802.1X and Why Does It Matter?

IEEE 802.1X is a port-based network access control (PNAC) standard that enforces authentication before any device is allowed to use a switch port or wireless connection. Until a device proves its identity, the port is kept in an unauthorised state — it passes only authentication traffic (EAP frames), blocking all other data. Only after the authentication server confirms the device's identity is the port moved to the authorised state and normal traffic permitted.

Without 802.1X, any device physically plugged into a switch port immediately gains network access. 802.1X closes this gap by making identity — not physical presence — the requirement for access. It is the foundation of enterprise Network Access Control (NAC) and a core component of Zero Trust network architecture.

Without 802.1X	With 802.1X
Any device plugged in gets network access immediately	Device must authenticate before the port is opened
No visibility into who or what is connected	Every connection is tied to an authenticated identity (user or device)
Rogue devices, guest laptops, and unauthorized APs get full access	Unauthenticated devices are blocked or placed in a restricted guest VLAN
VLAN assignment is static — based on port configuration only	VLAN can be dynamically assigned per user/device by the RADIUS server

2. The Three Roles in 802.1X

Every 802.1X deployment involves exactly three functional roles. Understanding each role and what it does is the starting point for both exam questions and real-world deployments.

Role	Device	Responsibility	Protocol Used
Supplicant	End device — PC, laptop, IP phone, printer, wireless client	Initiates authentication; submits credentials (certificate, username/password) to the authenticator	EAP over LAN (EAPoL) — runs directly on the wire between supplicant and authenticator
Authenticator	Network device — switch (wired 802.1X) or wireless LAN controller / AP (wireless 802.1X)	Controls port access; relays EAP messages between the supplicant and the authentication server; enforces the authorised/unauthorised port state	EAPoL toward the supplicant; RADIUS toward the authentication server
Authentication Server	RADIUS server — Cisco ISE, FreeRADIUS, Microsoft NPS, Cisco ACS	Validates credentials; returns Access-Accept or Access-Reject; optionally assigns VLAN, ACL, and other policy attributes	RADIUS (UDP 1812 for authentication, UDP 1813 for accounting)

2.1 Role Topology Diagram

  ┌──────────────┐    EAPoL (Layer 2)    ┌──────────────────┐    RADIUS (UDP)    ┌──────────────────────┐
  │  Supplicant  │◄─────────────────────►│  Authenticator   │◄──────────────────►│ Authentication Server│
  │  (PC/laptop) │                       │  (Switch / WLC)  │                    │  (RADIUS — ISE/NPS)  │
  └──────────────┘                       └──────────────────┘                    └──────────────────────┘
       Port is UNAUTHORISED                   Controlled Port                         Validates identity
       (only EAPoL passes)                    blocks all data                         returns Accept/Reject

  ─────────────────────────────────────────────────────────────────────────────────────────────────────
  After successful authentication:
       Port moves to AUTHORISED → normal data traffic flows
       RADIUS server optionally returns: VLAN ID, ACL name, session timeout
  ─────────────────────────────────────────────────────────────────────────────────────────────────────

Key distinction: The authenticator (switch) does not validate credentials itself. It is a relay — it passes EAP messages to the RADIUS server and enforces whatever decision the RADIUS server returns. The intelligence is in the authentication server, not the switch.

3. EAPoL – EAP over LAN

EAPoL (Extensible Authentication Protocol over LAN) is the Layer 2 encapsulation used between the supplicant and the authenticator. It uses EtherType 0x888E and does not require an IP address — authentication can happen before any IP configuration, which is why it works at Layer 2 even on an otherwise blocked port.

3.1 EAPoL Message Types

EAPoL Message	Direction	Purpose
EAPoL-Start	Supplicant → Authenticator	Supplicant initiates authentication; announces it is ready
EAP-Request/Identity	Authenticator → Supplicant	Switch asks the supplicant to identify itself
EAP-Response/Identity	Supplicant → Authenticator	Supplicant provides its identity (username or certificate)
EAP-Request (Challenge)	Authenticator → Supplicant	Relayed challenge from the RADIUS server (specific to EAP type)
EAP-Response (Credentials)	Supplicant → Authenticator	Supplicant's response to the challenge (password hash, certificate, etc.)
EAP-Success	Authenticator → Supplicant	RADIUS returned Access-Accept; port moves to authorised state
EAP-Failure	Authenticator → Supplicant	RADIUS returned Access-Reject; port remains unauthorised
EAPoL-Logoff	Supplicant → Authenticator	Supplicant signals it is disconnecting; port returns to unauthorised state

4. The Full 802.1X Authentication Flow

  Supplicant (PC)          Authenticator (Switch)       Auth Server (RADIUS)
       |                           |                            |
       |── EAPoL-Start ───────────►|                            |
       |                           |── RADIUS Access-Request ──►|  (identity forwarded)
       |◄── EAP-Request/Identity ──|                            |
       |── EAP-Response/Identity ─►|                            |
       |                           |── RADIUS Access-Request ──►|  (identity forwarded)
       |                           |◄── RADIUS Access-Challenge─|  (challenge issued)
       |◄── EAP-Request/Challenge ─|                            |
       |── EAP-Response/Creds ────►|                            |
       |                           |── RADIUS Access-Request ──►|  (creds forwarded)
       |                           |                            |
       |                           |         [RADIUS validates credentials]
       |                           |                            |
       |                           |◄── RADIUS Access-Accept ───|  (+ VLAN, ACL attrs)
       |◄── EAP-Success ───────────|                            |
       |                           |                            |
  [Port moves to AUTHORISED state — data traffic flows]
       |                           |                            |
       |   ... session active ...  |── RADIUS Accounting-Start─►|
       |                           |                            |
       |── EAPoL-Logoff ───────────►|                           |
       |                           |── RADIUS Accounting-Stop ─►|
  [Port returns to UNAUTHORISED state]

RADIUS and EAP: The RADIUS server does not speak EAPoL — it speaks RADIUS. The authenticator (switch) translates between EAPoL (toward the supplicant) and RADIUS (toward the server). EAP messages are encapsulated inside RADIUS Access-Request and Access-Challenge packets — the switch is a transparent relay for the EAP conversation between supplicant and RADIUS.

5. EAP Types – EAP-TLS, PEAP, and EAP-FAST

EAP (Extensible Authentication Protocol) is a framework — not a single authentication method. Different EAP types define what credentials are used and how the authentication exchange is protected. The three most important for the CCNA exam are EAP-TLS, PEAP, and EAP-FAST.

5.1 EAP-TLS (EAP – Transport Layer Security)

Attribute	Detail
Credentials used	X.509 digital certificates — both the client and the server present certificates (mutual authentication)
Security level	Highest — mutual certificate authentication; immune to password-based attacks (phishing, brute force)
Infrastructure required	Public Key Infrastructure (PKI) — certificates must be issued and managed for every supplicant device; high overhead
Tunnel	TLS tunnel established for mutual verification; session key derived from the exchange
Typical use case	High-security enterprise environments where every managed device has a certificate (e.g., domain-joined corporate laptops)
Disadvantage	Requires a full PKI; client certificate deployment is operationally complex and expensive at scale

5.2 PEAP (Protected EAP)

Attribute	Detail
Credentials used	Server-side certificate only; client authenticates with username and password (or MS-CHAPv2) inside the TLS tunnel
Security level	High — the TLS tunnel protects the inner authentication from eavesdropping; only server needs a certificate
Infrastructure required	Certificate on the RADIUS server only — no client certificates required; much lower PKI overhead than EAP-TLS
Inner method	PEAP/MS-CHAPv2 is most common (Windows Active Directory integration); PEAP/GTC also used (token-based authentication)
Typical use case	Enterprise WLAN authentication against Active Directory; the most widely deployed EAP method in corporate Wi-Fi environments
Disadvantage	Susceptible to rogue AP attacks if clients do not validate the server certificate — users may authenticate to a fake RADIUS server

5.3 EAP-FAST (EAP – Flexible Authentication via Secure Tunneling)

Attribute	Detail
Developed by	Cisco — designed as an alternative to PEAP and LEAP that does not require certificates
Credentials used	Protected Access Credential (PAC) — a shared secret provisioned to the client either manually or automatically (in-band PAC provisioning)
Security level	High — PAC establishes a TLS tunnel without certificates; inner authentication (MS-CHAPv2 or GTC) runs inside the tunnel
Infrastructure required	No certificates required on either client or server — simpler PKI-free deployment; PAC file management replaces certificate management
Typical use case	Cisco environments (ISE + Cisco wireless) where certificate infrastructure is not available; legacy device authentication
Disadvantage	PAC provisioning must be secured; anonymous PAC provisioning (no pre-configured secret) is vulnerable to man-in-the-middle during initial provisioning phase

5.4 EAP Types Comparison

Feature	EAP-TLS	PEAP	EAP-FAST
Client certificate required	Yes (mandatory)	No	No
Server certificate required	Yes (mandatory)	Yes (should be validated)	No (uses PAC)
Mutual authentication	Yes — strongest	Server only (one-way)	Via PAC exchange
PKI complexity	High (full PKI)	Medium (server cert only)	Low (no certs)
Common inner method	N/A (certs only)	MS-CHAPv2, GTC	MS-CHAPv2, GTC
Security strength	★★★★★ Highest	★★★★☆ High	★★★★☆ High
Developed / sponsored by	IETF standard	Microsoft / Cisco / RSA	Cisco

6. 802.1X and RADIUS Integration

The RADIUS (Remote Authentication Dial-In User Service) protocol is the standard communication channel between the authenticator (switch/WLC) and the authentication server. Understanding how RADIUS carries EAP and returns policy attributes is essential for both the exam and real deployments.

6.1 RADIUS Port Numbers and Packet Types

RADIUS Packet Type	Direction	UDP Port	Purpose
Access-Request	Authenticator → RADIUS server	1812	Forwards the supplicant's identity and EAP message to the server
Access-Challenge	RADIUS server → Authenticator	1812	Server sends a challenge back (relayed to supplicant as EAP-Request)
Access-Accept	RADIUS server → Authenticator	1812	Authentication successful — may include VLAN, ACL, and session attributes
Access-Reject	RADIUS server → Authenticator	1812	Authentication failed — switch sends EAP-Failure to the supplicant
Accounting-Request (Start)	Authenticator → RADIUS server	1813	Notifies server that an authenticated session has begun
Accounting-Request (Stop)	Authenticator → RADIUS server	1813	Notifies server that the session has ended (EAPoL-Logoff or link down)

6.2 RADIUS Vendor-Specific Attributes (VSAs) for 802.1X

When the RADIUS server sends an Access-Accept, it can include attributes that instruct the authenticator to apply specific policy to the session:

RADIUS Attribute	What It Controls	Example
Tunnel-Type (64)	Used with VLAN assignment — specifies VLAN tunnel type	Value: VLAN (13)
Tunnel-Medium-Type (65)	Medium for the VLAN tunnel	Value: 802 (6)
Tunnel-Private-Group-ID (81)	The VLAN ID or VLAN name to assign to the port	Value: "30" or "Engineering"
Filter-ID (11)	Name of an ACL to apply to the port	Value: "EMPLOYEE_ACL"
Session-Timeout (27)	Maximum session duration in seconds before re-authentication is required	Value: 3600 (1 hour)

Dynamic VLAN assignment: The combination of RADIUS attributes 64, 65, and 81 together instructs the authenticating switch to place the port into a specific VLAN — regardless of what VLAN the port was statically configured with. This allows the same physical port to carry different VLANs for different users without any switch reconfiguration.

7. Guest VLAN and Auth-Fail VLAN

Not every device on the network supports 802.1X (e.g., printers, VoIP phones, legacy devices). 802.1X deployments use fallback mechanisms to handle these cases gracefully rather than blocking all non-authenticating devices outright.

7.1 Guest VLAN

The Guest VLAN is assigned to a port when the connected device does not respond to EAPoL-Request/Identity messages within the configured timeout period. This indicates the device has no 802.1X supplicant — it is likely a legacy device or a non-802.1X endpoint. The port is moved to the Guest VLAN to provide limited (often Internet-only or remediation) access.

  Guest VLAN Trigger:
    Switch sends EAP-Request/Identity → [no response — device has no supplicant]
    Switch retries (configurable, default 3 attempts) → [still no response]
    Switch places port into Guest VLAN (e.g., VLAN 99)
    Device gets limited access (remediation / internet-only)

7.2 Auth-Fail VLAN (Restricted VLAN)

The Auth-Fail VLAN (also called Restricted VLAN) is assigned when a device has an 802.1X supplicant but authentication fails — wrong credentials, expired certificate, or account locked. This is distinct from the Guest VLAN: the device tried to authenticate but was rejected by the RADIUS server.

  Auth-Fail VLAN Trigger:
    Switch sends EAP-Request/Identity → Device responds (has supplicant)
    Credentials exchanged → RADIUS returns Access-Reject
    Switch places port into Auth-Fail VLAN (e.g., VLAN 98)
    Device gets restricted access — typically remediation / helpdesk only

7.3 Guest vs Auth-Fail VLAN Comparison

Feature	Guest VLAN	Auth-Fail VLAN
Trigger	No EAPoL response — device has no 802.1X supplicant	RADIUS returns Access-Reject — credentials are wrong or invalid
Device type	Legacy devices, printers, cameras without 802.1X support	Devices with a supplicant but failed authentication (wrong password, expired cert)
Cisco command	`dot1x guest-vlan <vlan-id>`	`dot1x auth-fail vlan <vlan-id>`
Security implication	Lower risk — device cannot authenticate at all	Higher risk — may indicate a breach attempt; monitor auth-fail events

8. MAC Authentication Bypass (MAB)

MAC Authentication Bypass (MAB) is a fallback mechanism for devices that do not support 802.1X at all (printers, IP cameras, VoIP phones, IoT devices). Instead of using EAP, MAB uses the device's MAC address as the username and password in a RADIUS Access-Request. The RADIUS server can then allow or deny access based on a list of approved MAC addresses.

  MAB Process:

  Step 1:  Switch sends EAP-Request/Identity → No response (device has no supplicant)
  Step 2:  After timeout, switch falls back to MAB
  Step 3:  Switch observes the source MAC address of frames from the device
  Step 4:  Switch sends RADIUS Access-Request:
             Username: AA:BB:CC:DD:EE:FF  (the device's MAC address)
             Password: AA:BB:CC:DD:EE:FF  (same — or formatted per RADIUS config)
  Step 5:  RADIUS server checks MAC against approved list:
             MATCH → Access-Accept (device gets network access)
             NO MATCH → Access-Reject (device blocked or placed in restricted VLAN)

  Security note:
    MAB is inherently weaker than 802.1X — MAC addresses can be spoofed.
    It should be used only for devices that genuinely cannot support 802.1X,
    with the RADIUS approved MAC list kept tightly controlled.

9. Cisco IOS Configuration – 802.1X

The following is a complete Cisco IOS configuration for enabling 802.1X on an access switch with RADIUS authentication, Guest VLAN, Auth-Fail VLAN, and MAB fallback.

! ════════════════════════════════════════════════════════════════
! Step 1: Enable AAA and define the RADIUS server
! ════════════════════════════════════════════════════════════════
aaa new-model

radius server ISE
address ipv4 10.0.0.100 auth-port 1812 acct-port 1813
key Str0ngR@diusKey

aaa group server radius RADIUS-GROUP
server name ISE

aaa authentication dot1x default group RADIUS-GROUP
aaa authorization network default group RADIUS-GROUP
aaa accounting dot1x default start-stop group RADIUS-GROUP

! ════════════════════════════════════════════════════════════════
! Step 2: Enable 802.1X globally
! ════════════════════════════════════════════════════════════════
dot1x system-auth-control

! ════════════════════════════════════════════════════════════════
! Step 3: Create VLANs for data, guest, and auth-fail
! ════════════════════════════════════════════════════════════════
vlan 10
name Employee-Data
vlan 98
name Auth-Fail-Restricted
vlan 99
name Guest-No-Supplicant

! ════════════════════════════════════════════════════════════════
! Step 4: Configure access port with 802.1X, MAB, Guest, Auth-Fail
! ════════════════════════════════════════════════════════════════
interface GigabitEthernet0/1
description 802.1X-Access-Port
switchport mode access
switchport access vlan 10
authentication port-control auto ! key command — enables 802.1X on the port
authentication order dot1x mab ! try 802.1X first, fall back to MAB
authentication priority dot1x mab ! 802.1X takes priority over MAB
dot1x pae authenticator ! configures port as the PAE authenticator role
dot1x timeout quiet-period 10
dot1x timeout tx-period 10
dot1x max-reauth-req 3
dot1x guest-vlan 99 ! no supplicant → Guest VLAN
dot1x auth-fail vlan 98 ! auth failure → Auth-Fail VLAN
dot1x auth-fail max-attempts 3
spanning-tree portfast ! access port — skip STP listening/learning
no shutdown

! ════════════════════════════════════════════════════════════════
! Step 5: Verify
! ════════════════════════════════════════════════════════════════
Switch# show dot1x all
Switch# show dot1x interface GigabitEthernet0/1
Switch# show authentication sessions
Switch# show authentication sessions interface GigabitEthernet0/1
Switch# show aaa servers

authentication port-control auto is the key command that enables 802.1X on a port. The three port-control options are: auto (requires authentication — the standard production setting), force-authorized (port always open — disables 802.1X, useful for uplinks and server ports), and force-unauthorized (port always blocked — used to administratively disable access).

10. Verification Commands

Command	What It Shows
`show dot1x all`	Global 802.1X status and per-port summary of all dot1x-enabled interfaces
`show dot1x interface <intf>`	Detailed 802.1X state for a specific interface — port state, supplicant MAC, EAP method, timeout values
`show authentication sessions`	All active authentication sessions — identity, method (dot1x/MAB), VLAN assigned, status (Authz Success / Failed)
`show authentication sessions interface <intf>`	Detailed session for a specific port — supplicant identity, EAP type, assigned VLAN and ACL, session timeout
`show aaa servers`	RADIUS server reachability — packets sent/received, Access-Accepts, Access-Rejects, round-trip time
`show radius server-group all`	Configured RADIUS server groups and their member servers
`debug dot1x all`	Real-time 802.1X events — EAPoL messages, state transitions, RADIUS exchanges (verbose — use in lab only)
`debug radius authentication`	RADIUS Access-Request and Access-Accept/Reject exchanges in real time

10.1 Sample Output – show authentication sessions

  Switch# show authentication sessions
  Interface    MAC Address     Method   Domain   Status         Session-timeout  Remaining  VLAN
  Gi0/1        aa:bb:cc:dd:ee  dot1x    DATA     Authz Success  3600s            3540s      10
  Gi0/2        11:22:33:44:55  mab      DATA     Authz Success  N/A              N/A        10
  Gi0/3        ff:ee:dd:cc:bb  dot1x    DATA     Authz Failed   N/A              N/A        98 (auth-fail)
  Gi0/4        00:11:22:33:44  N/A      DATA     No methods     N/A              N/A        99 (guest)

10.2 Sample Output – show dot1x interface GigabitEthernet0/1

  Switch# show dot1x interface GigabitEthernet0/1 detail
  Dot1x Info for GigabitEthernet0/1
  -----------------------------------
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = Both
  HostMode                  = SINGLE_HOST
  ReAuthentication          = Disabled
  QuietPeriod               = 10
  ServerTimeout             = 30
  SuppTimeout               = 30
  ReAuthPeriod              = 3600 (Locally configured)
  ReAuthMax                 = 2
  MaxReq                    = 3
  TxPeriod                  = 10
  RateLimitPeriod           = 0
  Auth-Fail-Vlan            = 98
  Auth-Fail-Max-attempts    = 3
  Guest-Vlan                = 99

  Dot1x Authenticator Client List
  --------------------------------
  Supplicant                = aa:bb:cc:dd:ee:ff
  Auth SM State             = AUTHENTICATED
  Auth BEND SM State        = IDLE
  EAP Method                = PEAP
  VLAN assigned             = 10

11. Troubleshooting 802.1X

Symptom	Likely Cause	Fix
Port stays unauthorised; supplicant shows EAP timeout	RADIUS server unreachable — wrong IP, key mismatch, or firewall blocking UDP 1812	Check `show aaa servers` for failures; verify IP, shared key, and firewall rules to the RADIUS server
Authentication fails with correct credentials	RADIUS shared key mismatch between switch and RADIUS server; or EAP method mismatch (switch configured for PEAP, server expects EAP-TLS)	Verify shared key on both switch (`key`) and server; align EAP method in RADIUS policy
Device placed in Guest VLAN unexpectedly	Device's 802.1X supplicant service is stopped or not installed; switch timed out waiting for EAPoL-Response	Verify supplicant is running on the client (`services.msc` on Windows — check "Wired AutoConfig" service); increase tx-period if link is slow
Device placed in Auth-Fail VLAN	Wrong credentials entered; expired certificate; user account locked in AD	Check RADIUS server logs for the specific rejection reason; verify credentials and certificate validity; check AD account status
Uplink or server port goes unauthorised after enabling dot1x globally	Port not excluded from 802.1X with `force-authorized`	Apply `authentication port-control force-authorized` on all uplinks, server ports, and trunk ports that should not require authentication
MAB not working for a printer after 802.1X timeout	MAB not configured on the port (`authentication order dot1x mab` missing); or printer's MAC not in the RADIUS approved list	Add `authentication order dot1x mab` and `authentication priority dot1x mab` to the interface; add the MAC to RADIUS approved list

12. Key Terms Quick Reference

Term	Definition
802.1X	IEEE standard for port-based network access control; blocks all traffic on a port until the connected device authenticates successfully
Supplicant	The end device (PC, phone, printer) that initiates authentication and submits credentials via EAPoL to the authenticator
Authenticator	The network device (switch or WLC) that controls port access; relays EAP messages between supplicant and RADIUS server
Authentication Server	The RADIUS server (ISE, NPS, FreeRADIUS) that validates credentials and returns Access-Accept or Access-Reject with optional policy attributes
EAP	Extensible Authentication Protocol — a framework that supports multiple authentication methods (TLS, PEAP, FAST); carried over LAN as EAPoL
EAPoL	EAP over LAN — Layer 2 encapsulation (EtherType 0x888E) used between the supplicant and the authenticator; does not require IP
EAP-TLS	Highest-security EAP method using mutual X.509 certificate authentication; requires a full PKI with certificates on both client and server
PEAP	Protected EAP; creates a TLS tunnel using a server certificate, then authenticates the client with username/password (MS-CHAPv2) inside the tunnel
EAP-FAST	Cisco-developed EAP method using a Protected Access Credential (PAC) instead of certificates; no PKI required
RADIUS	Remote Authentication Dial-In User Service; UDP-based protocol used between the authenticator and authentication server (auth: UDP 1812, accounting: UDP 1813)
Guest VLAN	VLAN assigned to a port when the connected device does not respond to EAPoL — device has no 802.1X supplicant
Auth-Fail VLAN	VLAN assigned when authentication fails (RADIUS returns Access-Reject) — device has a supplicant but credentials are invalid
MAB	MAC Authentication Bypass — fallback for non-802.1X devices; the switch sends the device's MAC address to RADIUS as the authentication credential
port-control auto	The Cisco IOS interface command that enables 802.1X authentication on a port — requires the supplicant to authenticate before traffic is permitted
Dynamic VLAN Assignment	RADIUS returns VLAN ID attributes (64, 65, 81) in the Access-Accept, instructing the switch to place the authenticated port into a specific VLAN

13. 802.1X – Practice Quiz

1. In an 802.1X deployment, which device is responsible for validating the supplicant's credentials and returning an Access-Accept or Access-Reject?

A. The authenticator (switch) — it checks credentials against its local user database B. The authentication server (RADIUS) — the switch is only a relay; all credential validation happens at the RADIUS server C. The supplicant — it self-validates and notifies the switch D. The default gateway router — it intercepts EAPoL frames and forwards them to Active Directory

Correct answer is B. The authenticator (switch) does not validate credentials — it is a transparent relay between the supplicant and the RADIUS server. The switch encapsulates EAP messages inside RADIUS Access-Request packets and sends them to the RADIUS server. The RADIUS server performs the actual credential validation and returns Access-Accept or Access-Reject. The switch simply enforces whatever the RADIUS server decides.

2. What Layer 2 protocol carries EAP messages between the supplicant and the authenticator, and what EtherType does it use?

A. RADIUS over UDP — EtherType 0x0800 (IPv4) B. EAP over IP (EAPoIP) — EtherType 0x86DD (IPv6) C. EAPoL (EAP over LAN) — EtherType 0x888E; operates at Layer 2 without requiring an IP address D. 802.11 management frames — EtherType 0x8100 (802.1Q)

Correct answer is C. EAPoL (EAP over LAN) uses EtherType 0x888E and operates entirely at Layer 2. This is significant because an 802.1X port in the unauthorised state blocks all traffic except EAPoL — the supplicant can authenticate before it even has an IP address. IP is not required for the authentication exchange itself. Between the switch and the RADIUS server, however, EAP is encapsulated inside RADIUS over UDP.

3. Which EAP method requires X.509 digital certificates on both the client and the server, and provides the strongest mutual authentication?

A. EAP-TLS — mutual certificate authentication; both supplicant and RADIUS server present certificates; immune to password-based attacks B. PEAP — server certificate only; client uses MS-CHAPv2 inside the TLS tunnel C. EAP-FAST — uses a PAC credential; no certificates required on either side D. LEAP — username and password only; no certificate infrastructure required

Correct answer is A. EAP-TLS is the most secure EAP method available. It mandates X.509 certificates on both the supplicant (client) and the RADIUS server — mutual authentication. Neither side can impersonate the other without a valid certificate signed by a trusted CA. The trade-off is operational complexity: every managed device needs a certificate issued and enrolled, requiring a full PKI. PEAP and EAP-FAST simplify deployment by requiring only a server certificate or no certificate at all, but sacrifice some security compared to EAP-TLS.

4. A PC connects to a switch port configured for 802.1X. The PC has an 802.1X supplicant and sends credentials, but the RADIUS server returns Access-Reject. What happens to the port?

A. The port is placed in the Guest VLAN because the device could not authenticate B. The port remains unauthorised indefinitely with no fallback C. The switch retries authentication automatically without any VLAN change D. The port is placed in the Auth-Fail VLAN (if configured) — the device has a supplicant but credentials were rejected by the RADIUS server

Correct answer is D. The Auth-Fail VLAN (Restricted VLAN) is specifically designed for this scenario: the device has an 802.1X supplicant (it responded to EAPoL) and attempted authentication, but the RADIUS server rejected the credentials. This is different from the Guest VLAN, which is for devices that never respond to EAPoL at all. If the Auth-Fail VLAN is not configured, the port simply remains unauthorised after the maximum number of failed attempts.

5. A network administrator needs to allow a printer — which has no 802.1X supplicant — to access the network through an 802.1X-enabled port. What mechanism should be configured?

A. Configure the port as force-authorized to permanently allow all traffic without authentication B. Configure MAC Authentication Bypass (MAB) as a fallback — the switch will authenticate the printer using its MAC address against the RADIUS approved list C. Disable 802.1X on the printer's port and leave it open D. Install a software supplicant on the printer and configure EAP-FAST

Correct answer is B. MAB (MAC Authentication Bypass) is the standard solution for devices that cannot run an 802.1X supplicant. After the 802.1X timeout (no EAPoL response), the switch falls back to MAB and sends the device's MAC address to the RADIUS server as both the username and password. The RADIUS server checks the MAC against an approved list and returns Access-Accept if matched. While option A also grants access, force-authorized bypasses all authentication entirely — any device connected gets access, which is a security risk. MAB is the correct, controlled approach.

6. Which RADIUS attributes are used together to dynamically assign a VLAN to an 802.1X-authenticated port?

A. Filter-ID (11) and Session-Timeout (27) B. User-Name (1) and NAS-Port (5) C. Tunnel-Type (64), Tunnel-Medium-Type (65), and Tunnel-Private-Group-ID (81) — together they specify VLAN tunnel type, medium, and the actual VLAN ID or name D. Vendor-Specific (26) with the Cisco AV pair vlan=<id>

Correct answer is C. Dynamic VLAN assignment via RADIUS requires three attributes in the Access-Accept response: Tunnel-Type (64) set to VLAN (value 13), Tunnel-Medium-Type (65) set to 802 (value 6), and Tunnel-Private-Group-ID (81) containing the VLAN ID (e.g., "30") or name. The switch reads these three attributes together and moves the authenticated port into the specified VLAN — overriding its static VLAN configuration. This enables role-based VLAN assignment without touching the switch configuration.

7. What is the key difference between PEAP and EAP-TLS in terms of certificate requirements?

A. EAP-TLS requires certificates on both the client and the server; PEAP requires a certificate only on the server — the client authenticates with a username and password inside the TLS tunnel B. PEAP requires certificates on both sides; EAP-TLS uses only a server certificate C. Neither PEAP nor EAP-TLS requires certificates — both use username and password D. EAP-TLS uses a PAC file; PEAP uses certificates on both sides

Correct answer is A. This is one of the most commonly tested 802.1X distinctions on the CCNA exam. EAP-TLS = mutual certificates (both client and server must have X.509 certs) — maximum security, maximum PKI overhead. PEAP = server certificate only (the server proves its identity to the client via a cert, then the client authenticates with MS-CHAPv2 or GTC inside the encrypted TLS tunnel) — lower PKI overhead, widely used in enterprise Wi-Fi with Active Directory. EAP-FAST = no certificates at all (uses PAC).

8. An administrator enables `dot1x system-auth-control` on a switch. Shortly after, the uplink trunk port to the distribution switch loses connectivity. What is the most likely cause?

A. The RADIUS server is unreachable and all ports defaulted to blocked B. Spanning Tree has put the uplink into blocking state after the 802.1X change C. The distribution switch sent an EAPoL-Logoff, closing the trunk D. The uplink port was not configured with authentication port-control force-authorized — enabling 802.1X globally also affects trunk and uplink ports, which then enter unauthorised state because the distribution switch has no supplicant

Correct answer is D. When

dot1x
                  system-auth-control

is enabled, 802.1X becomes active on all ports that have authentication port-control auto configured — but critically, it can also affect ports that did not explicitly have it disabled. Trunk uplinks and server ports must be explicitly set to authentication port-control force-authorized to bypass 802.1X and remain permanently open. Forgetting this step is a very common production mistake when first enabling 802.1X globally.

9. The command `authentication port-control auto` is configured on a switch port. What does the `auto` keyword mean?

A. The port automatically selects the best EAP method based on supplicant capability B. The port starts in the unauthorised state and moves to authorised only after successful 802.1X authentication — this is the standard production mode C. The port automatically enables or disables 802.1X depending on whether a supplicant is detected D. The port allows automatic failover to the Guest VLAN without any configuration

Correct answer is B. The three port-control states are: auto — the port begins unauthorised and requires 802.1X authentication to open (standard production mode); force-authorized — the port is always open, bypassing 802.1X entirely (used for uplinks, server ports, or printers where 802.1X should not apply); force-unauthorized — the port is always blocked regardless of authentication (used to administratively shut down access without physically unplugging the cable).

10. An enterprise is evaluating EAP methods for its 5,000-device wireless network. Security is the highest priority, but the IT team wants to avoid deploying certificates to every end-user device. Which EAP method best meets these requirements?

A. EAP-TLS — highest security; certificates on both client and server B. EAP-FAST — no certificates required; uses PAC credentials C. PEAP with MS-CHAPv2 — high security via server-side TLS tunnel; client authenticates with AD username/password; only the RADIUS server needs a certificate D. MAB — MAC address authentication requires no certificates or supplicants

Correct answer is C. PEAP with MS-CHAPv2 is the most widely deployed enterprise Wi-Fi EAP method precisely because it balances strong security with manageable deployment. Only the RADIUS server needs a certificate — client devices authenticate with their Active Directory username/password inside the encrypted TLS tunnel. EAP-TLS offers higher security but requires client certificates on all 5,000 devices — exactly what the team wants to avoid. EAP-FAST is simpler but Cisco-specific and less universal. MAB provides no real user authentication — only device MAC validation.

← Back to Home