802.1X Port-Based Authentication on Cisco Devices

In this blog post I’m going to describe the configuration commands needed to configure dot1x authentication, as well as the home lab I built to test the basic functionalities of 802.1X port-based authentication with Cisco switches and Cisco ISE.

802.1x Authentication Configuration on Cisco Switches

Here is the Cisco switch 802.1x configuration that worked for me in my home lab.

  • Line 131: activates AAA
  • lines 134 – 135: defining the Radius server group
  • Lines 164 – 166: defining the Radius server and the secret key.
  • Line 137: enables AAA dot1x authentication using the default method list, and using the Radius server group defined above.
  • Lines 142 – 150: this is the interface connected to the 802.1x supplicant. I put a generic access-list (default_acl) as a default ACL, in case the dACL feature does not work.

802.1x Port-based authentication Home lab topology

cisco-802-1x-port-based-authentication-home-lab-2017-08-06 23_36_39

Home lab constructs

  • EVE-NG
  • IOS images
    • one router, the image version does not matter
    • one switch with IOS 15.x
    • vPC, come built-in within EVE-NG
    • Windows 7 Lite: check this article for all details about Windows 7 Lite for Unetlab.
  • Cisco ISE
  • Vmware Workstation 12 Pro

A Note about the switch IOS image

You probably know, there’s a wish among network engineers to have an emulation tool for switches, that can emulate 100% of the switching features. In this home lab I tested with both of these IOS images:

  • Cisco IOL i86bi-linux-l2-adventerprisek9-15.6
  • Cisco vIOSl2-15.2

the vIOSl2 comes with more commands. But during the 802.1x port-based authentication rumblings, I spent almost all 3 days (and nights) to figure out what was not working. Story made short, I still did not manage to “manifest” the dACL feature. And I suggest you go with the IOL version.

Home lab router configuration

  • DHCP server is configured on the router to serve the subnet, using a DHCP pool. Don’t forget the IP dhcp excluded addresses, including the switch SVI
  • multiple subinterfaces, to serve as gateways for the subnets. Although I could use a layer 3 switch and make SVIs, I wanted to experiment the thing with a router too.
  • the router is linked to the switch via a trunk
  • the router plays the gateway for ISE. And it connects to ISE through Vmnet2 cloud. Vmnet2 maps to Pcnet 2 in EVE-NG.

Home lab switch configuration

  • vlans 1, 13-15 are configured. Vlan 1 is the native VLAN. SVI 1 is used as a source interface for Radius traffic
  • all configured interfaces are in access mode, except the link with the router.
  • interface E0/2 is not configured with a VLAN id. That’s necessary to demonstrate the power of ISE policies and dynamic VLAN assignment.
  • the switch is a 802.1x authenticator

Home lab ISE configuration

Home lab Windows Lite configuration

  • the Windows Lite computer is the 802.1x supplicant. Its NIC card is 802.1x enabled. 
  • its IP information is set to DHCP


  1. Frederik Fibiger-Lundberg
    March 5, 2018

    Hey Keyboard Banger,

    Nice article – I hope you dont mind if I ask a question or two :)

    Currently working on a dot1x/ISE lab i GNS3 and currently having problems with using vios_l2-ADVENTERPRISEK9-M.

    In your lab you had trouble with the same image I am using, but as I understand it – Only with the dACL part, is that correct?


  2. ganesh
    July 17, 2018


    Thanks for sharing. but i have tried both Version Cisco IOL i86bi-linux-l2-adventerprisek9-15.6 and
    Cisco vIOSl2-15.2 in EVE-NG but dot1x is not working on the switch. Also Cisco IOL i86bi-linux-l2-adventerprisek9-15.6.09s.bin seems to buggy . can you please let me know the exact version you used for you home lab.


Leave a Reply

Your email address will not be published. Required fields are marked *