Basic Cisco Dot1X Setup Guide for Wired Authentication


If there is one thing we all know when it comes to network security it is that we need to know just who and what are on our networks. That’s a very broad and easy statement to make though. In the last, authentication started with wireless users. First it was static pre-shared key authentication and later enterprise grade authentication started being used. The methods have changed here and there, but Dot1X (802.1X) authentication has become the standard.

Now a lot of users are shifting to using wireless connectivity, that’s no secret, but that absolutely does not mean that wired network access can be overlooked. Arguments can be made that wired authentication can even be MORE important. That’s where the need to configure wired Dox1X authentication comes into play. Regardless of what you have in place for a radius server to handle these requests, this Cisco Dot1X Setup Guide will outline how to configure your Cisco Catalyst switch to handle new connections and reach out to your radius server for user and device authentication.

Dot1X Global Configuration

First thing that needs to be done is to enable “aaa new-model”. Without that, other commands in this guide will not be available and we will not be able to use the needed aaa method lists we’ll setup later inthisguide. This is done with one simple command:

iosvl2-0(config)#aaa new-model

From there, the next commands in this guide become available to use. This first involves adding a radius server. This is pretty straight forward and unless you’ve modified things elsewhere in your environment, you can use the standard ports as well as long as you haven’t changed them in your environment. Let’s get that new server added. In my case, it’s an ISE version 3.0 Server if the server name didn’t give it away:

iosvl2-0(config)#radius server ISE30
iosvl2-0(config-radius-server)#address ipv4 auth-port 1812 acct-port 1813
iosvl2-0(config-radius-server)#timeout 2
iosvl2-0(config-radius-server)#retransmit 1
iosvl2-0(config-radius-server)#key theroutingtable

Now the radius server has been globally added. We needs to create aaa server groups next. This allows you to configure everything using a group of servers versus just one for redundancy. In this example though, I will only be using one since it’s just a lab for me. The next commands create your aaa server group with the new radius server we just defined:

iosvl2-0(config)#aaa group server radius dot1x
iosvl2-0(config-sg-radius)# server name ISE30

Now that our radius servers are all defined, we need to setup the global authentication, authorization, and accounting commands that you might have seen before. Again, remember the earlier names you used and make sure they match in these commands. Use caution if you already have aaa methods configured on your switch as well.

iosvl2-0(config)#aaa authentication dot1x default group dot1x
iosvl2-0(config)#aaa accounting dot1x default start-stop group dot1x
iosvl2-0(config)#aaa authorization network default group dot1x

Lastly, in terms of needed global commands, there is one more command we are looking to enter. This command actually enables Dot1X globally. To do so, the command is:

iosvl2-0(config)#dot1x system-auth-control

Dot1X Port Level Configuration

Last thing to do before your switch will begin trying to authenticate users and devices with your radius server is to enable authentication on a port-level basis. You can do this on one command or use the interface range command to enable on multiple interfaces. There are two commands to accomplish this. Those would be:

iosvl2-0(config)#interface Gi0/0
iosvl2-0(config-if)#authentication port-control auto
iosvl2-0(config-if)#dot1x pae authenticator

From here, go ahead and try connecting a device to the switch you are working with. You should begin seeing requests from the switch flow to your radius server defined in the earlier steps.

There are a lot of different things to consider before enabling this globally on your switches though. How many devices do you have on each switchport? Are IP Phones used? Is CDP enabled? I say all of that because there is a lot to consider with Dot1X design in your network. I’ll cover some of these things in future posts.


  1. Command deprecated (aaa accounting dot1x default start-stop group RADIUS_group) – Use identity instead of dot1x

    %Command deprecated (authentication port-control auto) – use access-session instead

    This post is not old, but cisco command above are very old.
    Therefore this configuration will not work.
    Author did not try it. :-(

    I can not find manual for dot1x on Cisco swtiches with new commands. grrr. :-(((

    • All commands in the post were tested by me on actual hardware at the time of writing (I wrote as I was working on my own lab). What are you testing this on yourself code-wise? IOS? IOS-XE? There are a lot of reasons why these commands are showing depreciated on your specific scenario. Syntax can change across platforms, code bases, and versions.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.