Port based-authentication is a combination of AAA and port security, it’s based on the IEEE 802.1X standard. When it is enabled, a switch port will pass no traffic until the client has authenticated with the switch. The user can only pass traffic if the authentication is successful.

Port- based authentication requires that both the client and the switch offering network services support the 802.1X standard. If the client support 802.1X but the switch does not, the client abandons the protocol and communicate normally. However, if the switch support 802.1X but the client doesn’t, the switch will not allow traffic to pass through its port. It remains in the unauthorized state.

802.1X framework

802.1X provides an authorization framework that allows or disallows traffic to pass through a port and thereby access network resources. It may be implemented in either wired or wireless environment.

This framework consists of three main components;

  1. Supplicant

            This is the client that supports 802.1X requesting access to the network resources. The client have a software running on it which may be integrated into the operating system, included in the client firmware, or implemented as add-in software.

  1. Authenticator

This is the device to which the supplicant directly connects. It’s a device that blocks or allows traffic to pass through its port. In a wired environment, it’s typically a switch while it’s a standalone access point or wireless LAN controller in a wireless environment.

  1. Authentication Server

A server that validates the credentials of the supplicant that’s requesting access to the network. When authentication is complete, the authentication server notifies the authenticator so it can allow traffic to pass through its port. This will typically be a RADIUS server.




The 802.1X protocol does not contain specific methods for clients to send their credentials to the authentication server. To solve this problem, the IEEE added the Extensible Authentication Protocol (EAP). It’s a layer 2 authentication protocol.

EAP is just the transport protocol optimizes for authentication, not the authentication method itself. It’s an authentication framework which support multiple authentication methods, typically runs directly over data link layers such as Point-to-Point protocol (PPP) or IEEE 802, without requiring IP.

EAP messages are carried over different media, depending upon the encapsulation method used by 802.1X. When transmitted over LAN media protocol like Ethernet, Token ring or FDDI, it is called EAP over LAN (EAPOL). The supplicant and the authentication server communicate with each other using the EAP protocol.

There are different flavors of EAP, some, such as Cisco’s Lightweight EAP (LEAP) is proprietary while others such as Protected EAP (PEAP) are standard based. Some provides for only one way authentication while others provide a two-way authentication. Example of EAP types are;

  1. Lightweight EAP (LEAP).
  2. Protected EAP (PEAP).
  3. EAP Message Digest 5 (EAP-MD5).
  4. EAP Transport Layer Security (EAP-TLS).
  5. EAP Flexible Authentication via Secure Tunneling (EAP-FAST).

The Authentication Process

  1. The supplicant (client) start authentication by sending an EAPOL start/request frame to the authenticator (switch).
  2. The authenticator replies with an EAP identity request.
  3. The supplicant sends an EAP identity response to the authenticator.
  4. The authenticator forward the supplicant identity response to the authentication server.
  5. The authentication server sends an authorization request to the authenticator which is then forwarded to the supplicant.
  6. The supplicant sends an EAP authorization response to the authenticator which is forwarded to the authentication server.
  7. The authentication server sends an EAP success message to the authenticator which is forwarded to the supplicant.
  8.   The authenticator places its port in the authorized state, ready to be used by the      supplicant to forward traffic.


An 802.1X switch port begins in the unauthorized state so that no data other than the 802.1X protocol itself is allowed through the port. Either the client or the switch can initiate an 802.1X session. The authorized state of the port ends when the user logs out, causing the 802.1X client to inform the switch to revert back to the unauthorized state. The switch can also time out the user’s authorized session. If this happens, the client must reauthenticate to continue using the switch port.


802.1X Configuration

  1. Enable AAA

Switch(config)# aaa new-model

  1. Define external RADIUS servers alongside its secret shared password which is known only to the server and the switch, and provides a key for encrypting the authentication session.

Switch(config)# radius-server host { hostname | ip-address } [ key string ]

  1. Define the authentication method for 802.1X. The configuration command used here causes all RADIUS authentication servers defined on the switch to be used for 802.1X authentication.

Switch(config)# aaa authentication dot1x default group radius

  1. Enable 802.1X on the switch.

Switch(config)# dot1x system-auth-control

  1. Configure each port that will use 802.1X

Switch(config)# interface type mod/num

Switch(config-if)# dot1x port-control {force-authorized | force-unauthorized | auto}

  1. Allow multiple hosts on a switch port.

Switch(config-if)# dot1x host-mode multi-host

Note that the sixth configuration is only necessary if the switch should expect multiple host to be present on the switch port, like when an Ethernet hub or an access layer switch is connected to a port running 802.1X


802.1X states

As evidenced in the fifth configuration above, 802.1X has three states and a switch port will be put into one of them.

  1. Force-authorized

This is the default state for all switch ports when 802.1X is enabled. All connected device is always authorized, no authentication is necessary.

  1. Force-unauthorized

The port is forced to never authorize any connected device. Thus, the port cannot move to the authorized state to pass traffic to a connected client.

  1. Auto

The port in this state uses 802.1X exchange to move the port from the unauthorized state to the authorized state, if successful. This requires an 802.1X capable application on the client PC.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s