What is IEEE 802.1X port-based access control, and what are the three roles in the architecture?
802.1X restricts unauthorized devices from connecting to a LAN (Local Area Network). It has three roles: the Supplicant (client requesting access), the Authenticator (the switch/AP (Access Point) controlling the port), and the Authentication Server (RADIUS (Remote Authentication Dial-In User Service) server validating credentials).
* The three 802.1X roles and their protocols. *
* 802.1X exchange: port unauthorized until Accept. *
The three 802.1X roles:
| Role | Device | Function |
|---|---|---|
| Supplicant | Client device (laptop, phone) | Runs 802.1X-compliant software; requests access and provides credentials |
| Authenticator | Switch or Wireless AP | Controls physical access to the network; acts as a proxy between client and server. Blocks all traffic until authenticated |
| Authentication Server | RADIUS server (e.g., Cisco ISE, FreeRADIUS) | Validates the client's identity; tells the authenticator to grant or deny access |
How it works:
- Client connects to a switch port → port starts in unauthorized state (only 802.1X traffic allowed)
- Client sends EAP (Extensible Authentication Protocol) credentials
- Switch relays credentials to RADIUS server
- RADIUS server validates → sends Accept or Reject
- If accepted → switch transitions port to authorized state → all traffic flows
- If rejected → port stays unauthorized → client can't access the network
Why 802.1X matters:
- Without it, anyone who plugs into a switch port has network access
- With it, the switch port is essentially a locked door that only opens after authentication
- Works for both wired (switch ports) and wireless (AP association)
Tip: 802.1X is the enterprise standard for network access control. It's what prevents a visitor from plugging their laptop into a conference room Ethernet jack and accessing the corporate network.
Go deeper:
IEEE 802.1X (Wikipedia) — defines port-based access control and the supplicant / authenticator / authentication-server roles with the EAP-over-RADIUS flow.
Extensible Authentication Protocol (EAP) (Wikipedia) — the authentication framework 802.1X carries (EAPOL between supplicant and authenticator), and its common methods (EAP-TLS, PEAP, EAP-TTLS).