**Overview** IEEE 802.1X is a security standard that enforces access control at the data link layer. It blocks all traffic on a port until the connecting device proves its identity. The :abbr:`EAPOL (Extensible Authentication Protocol over LAN)` protocol transports credentials between the client (supplicant) and the network switch (authenticator). The switch forwards these credentials to a backend authentication server, typically RADIUS, which verifies them and authorizes the connection. The VyOS router acts as the supplicant, authenticating with upstream network equipment such as ISP gateways or enterprise switches. Authentication uses X.509 certificates to validate the identities of both the router and the authentication server. The :abbr:`EAPOL (Extensible Authentication Protocol over LAN)` protocol requires the supplicant (the router) to provide an identity string to the authentication server during the initial handshake. If no identity is configured, VyOS uses the Ethernet interface's MAC address as the identity string. **Configuration** Prerequisites: Before configuring 802.1X (:abbr:`EAPOL (Extensible Authentication Protocol over LAN)`) authentication, upload the required :abbr:`CA (Certificate Authority)` certificate, client certificate, and private key to the router and import them into the PKI system. .. note:: The client certificate and private key must share the **same** PKI name. .. seealso:: For more information about managing certificates and keys, see the :ref:`PKI ` section. .. cfgcmd:: set interfaces {{ var0 }} {{ var2 }} {{ var3 }} {{ var5 }} {{ var6 }} eapol ca-certificate **Configure the trusted** :abbr:`CA (Certificate Authority)` **certificate for the interface.** The router uses this certificate to validate the authentication server’s identity. ```` is the :abbr:`CA (Certificate Authority)` certificate name as defined in the PKI system. .. note:: If you specify an intermediate :abbr:`CA (Certificate Authority)` certificate, ensure the full certificate chain, including the root and all higher-level intermediate :abbr:`CA (Certificate Authority)` certificates, is available to the system. Example: .. code-block:: none set pki ca eapol-server-intermediate-ca set pki ca eapol-server-root-ca set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} eapol ca-certificate eapol-server-intermediate-ca .. cfgcmd:: set interfaces {{ var0 }} {{ var2 }} {{ var3 }} {{ var5 }} {{ var6 }} eapol certificate **Configure the client certificate for the interface.** The router uses this certificate to prove its identity to the authentication server. ```` is the client certificate name as defined in the PKI system. During authentication, all parent :abbr:`CA (Certificate Authority)` certificates of the client certificate, such as intermediate and root :abbr:`CA (Certificate Authority)` certificates, are automatically sent as part of the EAP-TLS handshake. Example: .. code-block:: none set pki ca eapol-client-intermediate-ca set pki ca eapol-client-root-ca set pki certificate eapol-client certificate set pki certificate eapol-client private key set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} eapol certificate eapol-client