802.1x (dot1x) configuration guide for cisco switches

Setting up 802.1x also knows as dot1x requires configuration of a NPS server that can receive requests from the switch upon connection of a device onto a dot1x enabled port.

The NPS server is then responsible for passing the authentication credentials onto the active directory server for authentication. The AD server then returns the request along with the correct vlan the user group belongs to upon successful authentication. Upon receiving a return from the NPS, the switch simply configures the port with the correct vlan.

Authentication groups:

Cisco access switch configuration of radius server groups:


Dot1x configuration:

802.1x authentication on cisco switches requires the following commands to be configured:


Without configuring the aaa authorization exec default group dot1x-auth if-authenticated command, the switch would authenticate fine but wouldn’t have the priviledge to configure the returned vlan from the NPS onto the port.


To investigate dot1x issues, parse the command “debug dot1x all” and you should be able to see dot1x logs collected which are then visible when you pass the show log command.
A successful dot1x authentication would be visible in the output of the show log command as per below:


Got questions? Leave a comment! Let’s chat.

Rafay Rasool is a Network Specialist with over 8 years of experience designing, configuring and implementing core network solutions based predominantly but not limited to Juniper Routers, Switches and Firewalls along with other vendors such as Cisco, Huawei, Siemens, Aerohive, Ringmaster, Pulse etc for Internet Service Provider and Enterprise Networks.

Rafay is an avid supporter of network automation and likes to code and automate networking solutions.