dot1x (supplicant)


Enables IEEE 802.1X port-based authentication on the selected wired port and configures the credentials required to authenticate the iEEE 802.1X-capable supplicant (client).

The IEEE 802.1X port-based authentication protocol restricts unauthorized LAN access by enforcing supplicant authentication at the port. When a supplicant associates with a IEEE 802.1X enabled wired port, normal traffic across the port is suspended until the supplicant is successfully authenticated. Once the supplicant is successfully authenticated, the port status changes to authorized and normal traffic flow resumes. During the suspended state, only EAP over LAN traffic is allowed across the wired port.

The 802.1X port-based authentication process consists of the following three components:
  • supplicant - the client (wired-device) that is attempting to access the network
  • authenticating server - the server (e.g., RADIUS server) used to authenticate the client..
  • authenticator - the access point or switch that proxies the client's request to the authenticating server

The authentication methods supported are username/password and EAP-TLS (trustpoint-based authentication).

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Wireless Controllers — NX5500, NX7500


dot1x supplicant [username|trustpoint]
dot1x supplicant username <USERNAME> password [0 <WORD>|2 <WORD>|<WORD>]
dot1x supplicant trustpoint <WORD>


dot1x supplicant username <USERNAME> password [0 <WORD>|2 <WORD>|<WORD>]
dot1x supplicant Configures 802.1x suppliant settings
username <USERNAME> Sets the username for authentication
  • <USERNAME> – Specify the supplicant‘s username.
password [0 <WORD>| 2 <WORD>| <WORD>] Sets the password associated with the supplicant‘s username. Select any one of the following options:
  • 0 <WORD> – Sets a clear text password
  • 2 <WORD> – Sets an encrypted password
  • <WORD> – Specify the password.
dot1x supplicant trustpoint <WORD>
dot1x supplicant Configures 802.1x suppliant settings
trustpoint <WORD> Sets the authentication mode as EAP-TLS and specifies the trustpoint to be used for authentication.

In EAP-TLS authentication, the supplicant and RADIUS server authenticate each other using certificates. A trustpoint represents a CA/identity pair containing the identity of the CA, CA specific configuration parameters, and an association with an enrolled identity certificate.

  • <WORD> – Specify the trustpoint name.


nx9500-6C8809(config-profile-testAP505-if-ge2)#dot1x supplicant username test 
password 0 test123

nx9500-6C8809(config-profile-testAP505-if-ge2)#show context
 interface ge2
  dot1x supplicant username test password 0 test123

The following configuration enables dot1X supplicant on AP510 profile:

nx9500-6C8809(config-profile-testAP510-if-ge2)#dot1x supplicant trustpoint test

nx9500-6C8809(config-profile-testAP510-if-ge2)#show context
 interface ge2
  dot1x supplicant trustpoint test

Related Commands

no Removes 802.1X supplicant (client) settings