dot1x (authenticator)


Configures 802.1X authenticator settings

Dot1x (or 802.1x) is an IEEE standard for network authentication. It enables media-level (layer 2) access control, providing the capability to permit or deny connectivity based on user or device identity. Dot1x allows port-based access using authentication. An dot1x enabled port can be dynamically enabled or disabled depending on user identity or device connection.

Devices supporting dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a dot1x network, a device automatically connects and authenticates without needing to manually login.

Before authentication, the endpoint is unknown, and traffic is blocked. Upon authentication, the endpoint is known and traffic is allowed. The controller or service platform uses source MAC filtering to ensure only the authenticated endpoint is allowed to send traffic.

Supported in the following platforms:

  • Access Points —AP505i, AP510i/e, AP560i/h
  • Wireless Controllers — NX5500, NX7500


dot1x authenticator [guest-vlan|host-mode|max-reauth-req|port-control|reauthenticate|timeout]
dot1x authenticator [guest-vlan <1-4094>|host-mode [multi-host|single-host]|max-reauth-req <1-10>|
port-control [auto|force-authorized|force-unauthorized]| reauthenticate|timeout [quiet-period|reauth-period] 


The dot1x (802.1x) supplicant settings are documented in the next section.


dot1x authenticator [guest-vlan <1-4094>|host-mode [multi-host|single-host]|
max-reauth-req <1-10>|port-control [auto|force-authorized|force-unauthorized]|
reauthenticate|timeout [quiet-period|reauth-period]]
dot1x authenticator Configures 802.1x authenticator settings
guest-vlan <1-4094> Configures the guest VLAN for this interface. This is the VLAN, traffic is bridged on if this port is unauthorized and the guest VLAN is globally enabled. Select the VLAN index from 1 - 4094.
host-mode [multi-host| single-host] Configures the host mode for this interface
  • multi-host – Configures multiple host mode
  • single-host – Configures single host mode. This is the default setting.
max-reauth-req <1-10> Configures maximum number of re-authorization retries for the supplicant. This is the maximum number of re-authentication attempts made before this port is moved to unauthorized.
  • <1-10> – Specify a value from 1 -10. The default is 2.
port-control [auto| force-authorized| force-unauthorized] Configures port control state
  • auto – Configures auto port state
  • force-authorized – Configures authorized port state. This is the default setting.
  • force-unauthorized – Configures unauthorized port state
reauthenticate Enables re-authentication for this port. When enabled, clients are forced to re-authenticate on this port. The setting is disabled by default. Therefore, clients are not required to re-authenticate for connection over this port until this setting is enabled.
timeout [quiet-period|reauth-period] <1-65535> Configures timeout settings for this interface
  • quiet-period – Configures the quiet period timeout in seconds. This is the interval, in seconds, between successive client authentication attempts.
  • reauth-period – Configures the time after which re-authentication is initiated

The following option is common to ‘quiet-period‘ and ‘reauth-period‘ keywords:

  • <1-65535> – Specify a ‘quiet-period‘ or ‘reauth-period‘ from 1 - 65535 seconds.


nx9500-6C8809(config-profile-testNX5500-if-ge1)#dot1x authenticator guest-vlan 2

nx9500-6C8809(config-profile-testNX5500-if-ge1)#dot1x authenticator host-mode multi-host

nx9500-6C8809(config-profile-testNX5500-if-ge1))#dot1x authenticator max-reauth-req 6

nx9500-6C8809(config-profile-testNX5500-if-ge1)#dot1x authenticator reauthenticate

nx9500-6C8809(config-profile-testNX5500-if-ge1)#show context
 interface ge1
  dot1x authenticator host-mode multi-host
  dot1x authenticator guest-vlan 2
  dot1x authenticator reauthenticate
  dot1x authenticator max-reauth-count 6
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p

The following examples show the configurations made on an NX5500 to enable it as a dot1X authenticator:

  1. Configure AAA policy on the authenticator, and identify the authentication server as onboard (self):
    NX5500-229D58(config-aaa-policy-aaa-wireddot1x)#show context
    aaa-policy aaa-wireddot1x
    authentication server 1 onboard controller

    This AAA policy is used in the authenticator‘s self configuration mode as shown in the last step.

  2. Configure RADIUS user policy on the authenticator:
    nx5500-229D58(config-radius-user-pool-wired-dot1x-users)#show con
    radius-user-pool-policy wired-dot1x-users
    user bob password 0 bob1234

    The user name and password configured here should match that of the supplicant. For more information, see the examples provided in the dot1x (supplicant) section.

  3. Configure RADIUS server policy on the authenticator, and associate the RADIUS user policy created in the previous step:
    nx5500-229D58(config-radius-server-policy-for-wired-dot1x)#show con
    radius-server-policy for-wired-dot1x
    use radius-user-pool-policy wired-dot1x-users
  4. In the authenticator‘s self configuration mode, associate the RADIUS server policy, created in the previous step, and configure other parameters (in bold) as shown in the following example:
    nx5500-229D58(config-device-00-15-29-22-9D-58)#use radius-server-policy for-wired-dot1x
  5. In the authenticator‘s interface > ge configuration mode, configure the following parameters:
    nx5500-229D58(config-device-00-15-29-22-9D-58-if-ge2)#dot1x authenticator host-mode single-host
    nx5500-229D58(config-device-00-15-29-22-9D-58-if-ge2)#dot1x authenticator port-control auto
  6. In the authenticator‘s self configuration mode, configure the following parameters:
    nx5500-229D58(config-device-00-15-29-22-9D-58)#dot1x system-auth-control
    nx5500-229D58(config-device-00-15-29-22-9D-58)#dot1x use aaa-policy aaa-wireddot1x

    Following example displays the above configured parameters:

    nx5500-229D58(config-device-00-15-29-22-9D-58)#show context
    use profile default-nx5500
    use rf-domain default
    hostname nx5500-229D58
     use radius-server-policy for-wired-dot1x
    interface me1
      ip address
    interface ge2
      dot1x authenticator host-mode single-host
      dot1x authenticator port-control auto
    interface vlan1
      ip address dhcp
      ip dhcp client request options all
    logging on
    logging console debugging
    dot1x system-auth-control
    dot1x use aaa-policy aaa-wireddot1x

Related Commands

no Disables or reverts interface settings to their default