Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


IEEE 802.1x Port-Based Network Access Control Overview

MX Series routers support the IEEE 802.1x Port-Based Network Access Control (dot1x) protocol on Ethernet interfaces for validation of client and user credentials to prevent unauthorized access to a specified router port. Before authentication is complete, only 802.1x control packets are allowed and forwarded to the router control plane for processing. All other packets are dropped.

Authentication methods used must be 802.1x compliant. Authentication using RADIUS and Microsoft Active Directory servers is supported. The following user/client authentication methods are allowed:

  • EAP-MD5 (RFC 3748)

  • EAP-TTLS requires a server certificate (RFC 2716)

  • EAP-TLS requires a client and server certificate

  • PEAP requires only a server certificate

You can use both client and server certificates in all types of authentication except EAP-MD5.


On the MX Series router, 802.1x can be enabled on bridged ports only and not on routed ports.

Dynamic changes to a user session are supported to allow the router administrator to terminate an already authenticated session by using the “RADIUS disconnect” message defined in RFC 3576.