802.1X

802.1X is a network access control standard that requires devices to authenticate before they can use a switch port or connect to a Wi-Fi network. Until a device authenticates successfully, the port is locked — no IP address, no traffic.

802.1X implements the principle of "identity before access" at the network layer. Plug in an unauthenticated device and nothing works — the switch port stays blocked regardless of what IP address the device has. Only after a successful authentication handshake does the switch grant network access.

The architecture involves three components:

Supplicant — the client device requesting access (a laptop, phone, or other endpoint with 802.1X support).

Authenticator — the switch or Wi-Fi access point enforcing access control. It doesn't authenticate the device itself; it forwards authentication requests to the RADIUS server.

Authentication server — typically a RADIUS server, which validates credentials and tells the switch whether to allow or deny access.

802.1X supports multiple authentication methods (called EAP methods): username/password, certificates, smart cards. For unattended devices like printers or cameras that can't prompt for credentials, certificate-based authentication is typical.

A powerful extension: dynamic VLAN assignment. The RADIUS server can tell the switch not just "allow this device" but "put this device in VLAN 30." This enables network segmentation based on identity — domain laptops go to the corporate VLAN, guest devices to the guest VLAN, and IoT devices to the IoT VLAN, all automatically at connection time.

802.1X is the right answer for any environment where you can't trust what's physically plugging into your network — which is most environments.