Wired Intelligent Edge (Campus Switching and Routing)

Port Based Access Control With Switch As The Supplicant


This provides security on links switches where dot1x is enabled.


When we want Switch to act as a supplicant, there are some necessary configuration to be made on the port. This is to make the Switch act as the supplicant and send the Access Request messages to the authentication server



When port 1 on switch “A” is first connected to a port on switch B, port 1 will initiate start packets to port 3 on switch B.

As the port sends the configured number of start packets and when there is no response, it thinks that switch B is not enabled with dot1x, and makes itself to the authenticated state. 

However,  post sending more start request packets and port 1 receives a request packet from port 3, then switch B is operating as an authenticator. The supplicant port responds to the packet. If switch B is configured for RADIUS authentication, it forwards this request to a RADIUS server. When switch B is configured for Local OneX authentication, the authenticator compares the switch “A” response to its local username

Authentication Server then responds with an access challenge that switch B forwards to switch A.

Port 1 replies with an hashed response based on its credentials or other unique credentials. Switch B then forwards this response to the authentication server.

The Authentication server then validates the response later would send an Accept or Reject message to switch A through the Authenticator. The Access Accept message enables the authenticator to a usual traffic from the supplicant port 1, likewise, the Access Reject message would block 1 to wait for the held-time period before trying again to achieve authentication through the port connected to Switch A.


Example: Syntax to configure the port as Supplicant

Switch-A(config)# aaa port-access supplicant 3
Switch-A(config)# aaa port-access supplicant 3 identity client1 secret allow


Switch-A(config)# sh run int 3

Running configuration:

interface 3
   untagged vlan 1
   aaa port-access supplicant
   aaa port-access supplicant identity "client1"

Version history
Revision #:
1 of 1
Last update:
‎04-09-2020 09:24 AM
Updated by:
Search Airheads
Showing results for 
Search instead for 
Did you mean: