802.1X Authenticated Wired Access Overview


Applies To: Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This document provides introductory information about Institute of Electrical and Electronics Engineers (IEEE) 802.1X authenticated access for IEEE 802.3 wired Ethernet connections. Links to resources with information about technologies that are closely related to 802.1X Authenticated Wired Access, or otherwise relevant to wired access are also provided.


In addition to this topic, the following 802.1X Authenticated Wired Access documentation is available. What's New in 802.1X Authenticated Wired Access

Did you mean…

Feature description

IEEE 802.1X authentication provides an additional security barrier for your intranet that you can use to prevent guest, rogue, or unmanaged computers that cannot perform a successful authentication from connecting to your intranet.

For the same reason that administrators deploy IEEE 802.1X authentication for IEEE 802.11 wireless networks—enhanced security—network administrators want to implement the IEEE 802.1X standard to help protect their wired network connections. Just as an authenticated wireless client must submit a set of credentials to be validated before being allowed to send wireless frames to the intranet, an IEEE 802.1X wired client must also perform authentication prior to being able to send traffic over its switch port.

Important terminology and technology overviews

Following are overviews that will help you to understand the various technologies that are required to deploy 802.1X authenticated wired access.


In this document, 802.1X authenticated wired access is referred to as wired access.

IEEE 802.1X

The IEEE 802.1X standard defines the port-based network access control that is used to provide authenticated wired access to Ethernet networks. This port-based network access control uses the physical characteristics of the switched Local Area Network (LAN) infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails. Although this standard was designed for wired Ethernet networks, it has also been adapted for use on 802.11 wireless LANs.

IEEE 802.1X-capable wired Ethernet switches

To deploy 802.1X wired access you must install and configure one or more 802.1X-capable Ethernet switches on your network. The switches must be compatible with the Remote Authentication Dial-In User Service (RADIUS) protocol.

When 802.1X and RADIUS-compliant switches are deployed in a RADIUS infrastructure, with a RADIUS server such as an NPS server, they are called RADIUS clients.

IEEE 802.3 Ethernet

IEEE 802.3 is a collection of standards that defines the Layer-1 (physical layer) and Layer-2 (data-link layer media access control (MAC)) of wired Ethernet. 802.3 Ethernet is typically implemented on a LAN, and also in some wide area network (WAN) applications.

Network Policy Server

Network Policy Server (NPS) lets you centrally configure and manage network policies by using the following three components: RADIUS server, RADIUS proxy, and Network Access Protection (NAP) policy server. NPS is required to deploy 802.1X wired access.

Server certificates

Wired access deployment requires server certificates for each NPS server that performs 802.1X authentication.

A server certificate is a digital document that is commonly used for authentication and to help secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certification authority (CA), and they can be issued for a user, a computer, or a service.

A CA is an entity responsible for establishing and vouching for the authenticity of public keys that belong to subjects (usually users or computers) or other CAs. Activities of a CA can include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and revoking certificates.

Active Directory Certificate Services (AD CS) is a Windows Server 2012 server role that issues certificates as a network CA. An AD CS certificate infrastructure, also called a public key infrastructure (PKI), provides customizable services for issuing and managing certificates for the enterprise.


Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by enabling additional authentication methods that use credential and information exchanges of arbitrary lengths. With EAP authentication, both the network access client and the authenticator (such as an NPS server) must support the same EAP type for successful authentication to occur.

New and changed functionality

In Windows Server 2012, wired access includes only minimal changes to the wired access solution provided in Windows Server 2008 R2. That change is summarized as follows:


Previous operating system

New operating system

The addition of EAP-Tunneled Transport Layer Security (EAP-TTLS) to the list of network authentication methods that are included by default

Not included

Included by default

See also

Following is a table of resources related to 802.1X authenticated wired access.

Content type


Product evaluation

IEEE 802.1X Authenticated Wired Access – Cable Guy article |


Windows Server 2008 802.1X Authenticated Wired Access Design Guide |


Windows Server 2008 802.1X Authenticated Wired Access Deployment Guide | Windows Server 2008 R2 Core Network Companion Guide: Deploying Password-based 802.1X Authenticated Wireless Access


Windows Server 2008 R2 Netsh Commands for Wired Local Area Network (LAN) |


Windows Server 2008 R2  Network Diagnostics Framework (NDF) and Network Tracing |


Not applicable

Tools and settings

Content not available

Community resources

Content not available

Related technologies

Windows Server 2008 R2 802.1X Authenticated Wireless Access | Windows Server 2008 R2 Network Policy and Access Services