Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


show dot1x interface



Display the current operational state of all ports with the list of connected users.

This command displays the list of connected supplicants received from the RADIUS authentication server regardless of the session state—that is, for both authenticated supplicants and for supplicants that attempted authentication.



Display information for all authenticator ports.

brief | detail | extensive

(Optional) Display the specified level of output.

interface interface-name

(Optional) Display information for the specified interface with a list of connected supplicants.

Required Privilege Level


Output Fields

Table 1 lists the output fields for the show dot1x interface command. Output fields are listed in the approximate order in which they appear.

Table 1: show dot1x interface Output Fields

Field Name

Field Description

Level of Output


Name of a port.


MAC address

The MAC address of the connected supplicant on the port.



The 802.1X authentication role of the interface. When 802.1X is enabled on an interface, the role is Authenticator. As Authenticator, the interface blocks LAN access until a supplicant is authenticated through 802.1X or MAC RADIUS authentication.

brief, detail


The state of the port:

  • Authenticated—The supplicant has been authenticated through the RADIUS server or has been permitted access through server fail fallback.

  • Authenticating—The supplicant is authenticating through the RADIUS server.

  • Held—An action has been triggered through server fail fallback during a RADIUS server timeout. A supplicant is denied access, permitted access through a specified VLAN, or maintains the authenticated state granted to it before the RADIUS server timeout occurred.

brief, extensive


The username of the connected supplicant.

brief, extensive

Administrative state

The administrative state of the port:

  • auto—Traffic is allowed through the port based on the authentication result (by default).

  • force-authorize—All traffic flows through the port irrespective of the authentication result. This state is not allowed on an interface whose VLAN membership has been set to dynamic.

  • force-unauthorize—All traffic drops on the port irrespective of the authentication result. This state is not allowed on an interface whose VLAN membership has been set to dynamic.



The mode for the supplicant:

  • single—Only the first supplicant is authenticated. All other supplicants that connect later to the port are allowed full access without any further authentication. They effectively piggyback on the first supplicant’s authentication.

  • single-secure—Only one supplicant is allowed to connect to the port. No other supplicant is allowed to connect until the first supplicant logs out.

  • multiple—Multiple supplicants are allowed to connect to the port. Each supplicant is authenticated individually.


Quiet period

The number of seconds the port waits before reattempting authentication after a failed authentication exchange with the supplicant.


Transmit period

The number of seconds the port waits before retransmitting the initial EAPOL PDUs to the supplicant.


MAC Radius

MAC RADIUS authentication:

  • enabled—The device sends an EAPOL request to the connecting host to attempt 802.1X authentication and if the connecting host is unresponsive, the device tries to authenticate the host by using the MAC address.

  • disabled—The default. The device does not attempt to authenticate the MAC address of the connecting host.


MAC Radius authentication protocol

MAC RADIUS authentication protocol:

  • EAP-MD5—The EAP-MD5 protocol is used for MAC RADIUS authentication. EAP-MD5 is an authentication method belonging to the Extensible Authentication Protocol (EAP) authentication framework. EAP-MD5 is the default authentication protocol.

  • PAP—The Password Authentication Protocol (PAP) authentication protocol is used for MAC RADIUS authentication.


MAC Radius restrict

The authentication method is restricted to MAC RADIUS. 802.1X authentication is not enabled.



The reauthentication state:

  • disable—Periodic reauthentication of the client is disabled.

  • interval—Sets the periodic reauthentication time interval.


Supplicant timeout

The number of seconds the port waits for a response when relaying a request from the authentication server to the supplicant before resending the request.


Server timeout

The number of seconds the port waits for a reply when relaying a response from the supplicant to the authentication server before timing out.


Maximum EAPOL requests

The maximum number of times an EAPOL request packet is retransmitted to the supplicant before the authentication session times out.


Number of clients bypassed because of authentication

The number of non-802.1X clients granted access to the LAN by means of static MAC bypass. The following fields are displayed:

  • Client—MAC address of the client.

  • vlan—The name of the VLAN to which the client is connected.


Guest VLAN member

The VLAN to which a supplicant is connected when the supplicant is authenticated using a guest VLAN. If a guest VLAN is not configured on the interface, this field displays <not configured>.


Number of connected supplicants

The number of supplicants connected to a port.



The username and MAC address of the connected supplicant.


Authentication method

The authentication method used for a supplicant:

  • CWA Authentication—A supplicant is authenticated by the central Web authentication (CWA) server.

  • Guest VLAN—A supplicant is connected to the LAN through the guest VLAN.

  • MAC RADIUS—A nonresponsive host is authenticated based on its MAC address. The MAC address is configured as permitted on the RADIUS server. The RADIUS server lets the device know that the MAC address is a permitted address, and the device opens LAN access to the nonresponsive host on the interface to which it is connected.

  • RADIUS—A supplicant is configured on the RADIUS server, the RADIUS server communicates this to the device, and the device opens LAN access on the interface to which the supplicant is connected.

  • Server-fail—One of the following fallback actions is in effect because the RADIUS server is unreachable. Indicates whether EAPOL block is in effect, and the amount of time remaining for EAPOL block (in seconds).

    • deny—The supplicant is denied access to the LAN, preventing traffic from flowing from the supplicant through the interface. This is the default server fail fallback action.

    • permit—The supplicant is permitted access to the LAN as if the supplicant had been successfully authenticated by the RADIUS server.

    • use-cache—In the event that the RADIUS server times out when the supplicant is attempting reauthentication, the supplicant is reauthenticated only if it was previously authenticated; otherwise, the supplicant is denied LAN access.

    • VLAN—The supplicant is configured to be moved to a specified VLAN if the RADIUS server is unavailable to reauthenticate the supplicant. (The VLAN must already exist on the device.)

detail, extensive

Authenticated VLAN

The VLAN to which the supplicant is connected.

detail, extensive

Dynamic filter

User policy filter sent by the RADIUS server.


Group Based Policy (GBP) ID

The configured GBP tag received by the Juniper-Switching-Filter VSA or the Juniper-Group-Based-Policy-Id VSA.


Session Reauth interval

The configured reauthentication interval.


Reauthentication due in

The number of seconds in which reauthentication occurs again for the connected supplicant.


Session Accounting Interim Interval

The number of seconds between interim RADIUS accounting messages.


Accounting Update due in

The number of seconds until the next interim RADIUS accounting update is due.


CWA Redirect URL

The URL used to redirect the supplicant to a central Web server for authentication.


Sample Output

show dot1x interface brief

show dot1x interface detail (with GBP configured for QFX and EX switches)

show dot1x interface extensive

Release Information

Command introduced in Junos OS Release 15.1X49-D80.

extensive option introduced in Junos OS Release 19.4R1 to display the additional fields when compared to brief option. The additional fields are authentication method and vlan-id.