Wired 802.1X EAP-TLS Full Lab: Aruba CX Switch + ClearPass + Windows Client

Most engineers configure 802.1X on wireless and completely ignore their wired ports and that is a serious security gap.

Here is the reality: anyone who walks into your office, plugs a network cable into a switch port, and gets full network access with zero authentication. No VLAN enforcement. Nothing. That is a breach waiting to happen.

In this guide I will show you how to fix that — a complete wired 802.1X EAP-TLS setup using Aruba ClearPass as the RADIUS server, an Aruba CX switch as the authenticator, and a Windows client as the supplicant, with dynamic VLAN assignment based on Active Directory department and live verification in ClearPass Access Tracker.

📺 Watch the full lab video here: Wired 802.1X EAP-TLS Full Lab | Aruba CX Switch + ClearPass + Windows Client

Lab Topology Overview

Before jumping into configuration, here is what we are working with:

• Windows Client PC — acting as the 802.1X supplicant. Already enrolled with our Certificate Authority and holding a client certificate (the same CA used in our EAP-TLS wireless setup).
• Aruba CX Switch — acting as the 802.1X authenticator. Configured to accept EAP-TLS authentication on the access port.
• Aruba ClearPass — acting as the RADIUS authentication server. Already loaded with a server certificate and connected to Active Directory.

The key difference from wireless 802.1X is the enforcement logic. ClearPass enforces VLAN assignment based on the user’s AD department — HR users land in VLAN 125, Finance in VLAN 129, IT in VLAN 170. The switch port starts unauthorised in VLAN 1 and moves automatically to the correct VLAN after ClearPass returns a RADIUS Accept with the VLAN-ID attribute.

Prerequisites

Before starting the switch port configuration, verify these are already in place:

• The Aruba CX switch is added as a Network Device in ClearPass (Configuration → Network → Devices)
• The RADIUS shared secret matches between ClearPass and the switch
• The switch can reach ClearPass — confirm with show radius-server on the switch, where ClearPass should show as reachable
• ClearPass is already receiving RADIUS accounting from the switch (visible in Access Tracker)
• The Windows client has a valid client certificate in the Personal certificate store
• The root CA certificate is installed in the Trusted Root Certification Authorities store on the Windows client

If you have not set up the Aruba CX switch integration with ClearPass yet, watch the switch integration video linked at the top of the YouTube video first.

Step 1 — ClearPass Configuration

Enforcement Profiles

We need one enforcement profile per department VLAN. Navigate to Configuration → Enforcement → Profiles and click Add for each:

HR VLAN Enforcement

• Type: RADIUS
• Attribute: Tunnel-Private-Group-ID = 125

Finance VLAN Enforcement

• Type: RADIUS
• Attribute: Tunnel-Private-Group-ID = 129

IT VLAN Enforcement

• Type: RADIUS
• Attribute: Tunnel-Private-Group-ID = 170

Enforcement Policy

Navigate to Configuration → Enforcement → Policies and create a new policy:

• Name: Wired RADIUS Enforcement Policy
• Default Profile: Deny Access
• Rules:
  • Tips:Role EQUALS HR → HR VLAN Enforcement
  • Tips:Role EQUALS Finance → Finance VLAN Enforcement
  • Tips:Role EQUALS IT → IT VLAN Enforcement

Service

Navigate to Configuration → Services and add a new service:

• Type: Wired — 802.1X
• Service Tab: Enable Authorization
• Authentication Tab: Remove all methods except EAP-TLS. Add your AD authentication source and Endpoint Repository
• Roles Tab: Your existing role mapping policy (configured in previous videos)
• Enforcement Tab: Select the Wired RADIUS Enforcement Policy created above

Important: Unlike a wireless service, you do not need to map to an SSID. Leave the network conditions blank for a wired service.

Step 2 — Windows Client (Supplicant) Configuration

Verify the Client Certificate

Open MMC (Win+R → mmc), go to File → Add/Remove Snap-ins → Certificates → Add (User account). Verify the client certificate is present under Personal → Certificates. Without a valid client certificate, EAP-TLS cannot complete.

Enable Wired AutoConfig Service

This is the most commonly missed step. By default, Windows disables this service and the 802.1X authentication tab will not appear on your Ethernet adapter without it.

Go to services.msc → find Wired AutoConfig → set Startup type to Automatic → Start the service.

Configure the Network Adapter

Go to Control Panel → Network and Sharing Center → Change adapter settings → right-click your Ethernet adapter → Properties → Authentication tab.

• Check Enable IEEE 802.1X authentication
• Method: Microsoft: Smart Card or other certificate
• Click Settings:
  • Check Verify the server’s identity by validating the certificate
  • Select your Root CA from the trusted authorities list
  • Check Do not prompt user to authorise new servers or trusted CAs
• Click Additional Settings:
  • Ensure User or computer authentication is selected

The Windows supplicant is now ready.

Step 3 — Aruba CX Switch Port Configuration

Navigate into the access port interface (in this lab, port 1/1/1):

interface 1/1/1
aaa authentication port-access authenticator enable
aaa authentication port-access authenticator client-limit 1
aaa authentication port-access authenticator reauth-period 3600
aaa authentication port-access authenticator quiet-period 10
aaa authentication port-access authenticator max-retries 3

What Each Command Does — and Why

client-limit 1 — Tells the switch how many devices are allowed to authenticate on a single port. Setting it to 1 means only one MAC address can complete 802.1X at a time. In a standard enterprise access port connecting one endpoint — a workstation, laptop, or printer — this is the correct setting. If you have an IP phone with a PC daisy-chained through it, you would set this to 2 to accommodate both MAC addresses.

reauth-period 3600 — Controls how often the switch forces the client to re-authenticate. 3,600 seconds means once per hour. Without this, a device authenticated legitimately stays authorised until the port goes down — meaning anyone who plugs in a different device to the same port gets the same access. The reauth period forces ClearPass to periodically revalidate the session. One hour is the industry standard; high-security environments may go to 15 or 30 minutes.

quiet-period 10 — After a failed authentication attempt, this is how many seconds the switch waits before allowing the client to try again. It prevents brute-force attacks against your RADIUS server. Without it, a misconfigured or malicious device could generate thousands of RADIUS requests per second. 10 seconds is a sensible lab default; production environments may go up to 60 seconds.

max-retries 3 — How many times the switch will retransmit an EAP request if it gets no response from the supplicant before giving up. Three is the standard — it accounts for brief network hiccups without allowing a dead device to block the port indefinitely.

Enable 802.1X Globally

aaa authentication port-access authenticator enable
write memory

Verify the port configuration with:

show run interface 1/1/1

Step 4 — Live Authentication Test

Connect the Windows client to the switch port. Run the following on the switch:

show port-access clients

You should see the authenticated username, port number, flags (NX = 802.1X, C = client mode, S = success), and the assigned VLAN.

In ClearPass Access Tracker, you will see the RADIUS request come in and the Access-Accept go out. Click into the request to verify:

• Input: The certificate presented, the username, and the source port
• Output (RADIUS Response): Tunnel-Private-Group-ID = 129 (or whichever VLAN the user’s department maps to)

In our lab test, three users were verified:

All three authenticated on the same switch port (1/1/1) with the correct VLAN enforced in each case based on the AD department — without ever manually changing the switch port configuration. The port was statically set to VLAN 1 and ClearPass dynamically moved it on every successful authentication.

Troubleshooting Tips

Port stays unauthorised after connecting the client Check the Wired AutoConfig service is running on the Windows machine. If it is stopped or disabled, the authentication tab disappears and no EAP frames are sent.

Certificate not trusted error in Access Tracker The root CA certificate on the ClearPass server must match what signed the client certificate. Also verify that the Windows client has the ClearPass server certificate’s CA in its Trusted Root store.

RADIUS shared secret mismatch This is the most common failure. The shared secret configured under the Network Device in ClearPass must match exactly (case-sensitive) what is configured on the switch. Check ClearPass Access Tracker for “Shared Secret Mismatch” in the error reason.

Correct VLAN not being assigned Check the enforcement policy rules — the Tips:Role value must exactly match the role name returned by the role mapping policy. Also check the enforcement profile attribute — it must be Tunnel-Private-Group-ID (not Tunnel-Type or Tunnel-Medium-Type alone; you need all three for dynamic VLAN to work correctly on some switches).

show port-access clients shows no entries 802.1X may not be enabled globally. Run aaa authentication port-access authenticator enable at the global level and confirm with show authentication port-access authenticator.

Key Takeaway

Wired 802.1X is not optional anymore. If you are running 802.1X on wireless but your wired ports are open, you have a gap. This closes it  certificate-based, department-aware, dynamically enforced, and fully verifiable in ClearPass Access Tracker.

What’s Next

The next video in this series covers ClearPass integration with Azure AD and Microsoft Intune for 802.1X — the cloud-native version of what we did today, and where most enterprises are heading. Subscribe to the channel so you do not miss it.

Related videos and posts:

• EAP-TLS Wireless Setup with ClearPass
• Attackers Can Bypass PEAP — Here’s What to Use Instead
• Aruba ClearPass Step-by-Step | Roles, Policies & 802.1X
• Integrating Aruba CX Switches into ClearPass RADIUS