How to configure 802.1X with AAA – Cisco Switch config

Below is a quick guide on 802.1x port-based authentication using a radius server for authentication.


– Firstly enable AAA


ALS1(config)#aaa new-model


– Configure the location of the Radius-server


ALS1(config)#radius-server host key abc123


– Then configure what exactly needs authentication, along with how to authenticate it. In this case dot1x, using radius as the authentication method.


ALS1(config)#aaa authentication dot1x default group radius

– To globally enable dot1x (note this just “enables” the feature as such)


ALS1(config)#dot1x system-auth-control


– Following that, is configuring the access port, or group of access ports to use 802.1x to authenticate users against radius. Note, IOS may not show dot1x sub-commands if you haven’t configured the port as an access port.


ALS1(config-if)#int fa0/6

ALS1(config-if)#switchport mode access

ALS1(config-if)#dot1x port-control ?

auto PortState will be set to AUTO

force-authorized PortState set to Authorized

force-unauthorized PortState will be set to UnAuthorized


ALS1(config-if)#dot1x port-control auto



– Enables 802.1x port-based Authentication



– Disables 802.1x on the port, and the port will auto transition to the authorized state.



– Causes the port to remain in the unauthorised state, effectively making the port useless.