Version 4.1 - 2.0 IEEE 802.1x
802.1x is basically EAPoL (EAP over LAN). This is a way to implement port-based network access control. It was originally invented for wired networks, but didn't get widely deployed due to its complexity and configuration demands. On a wired LAN, everybody wants to "just plug in" and have it work (like an electrical outlet). Network Admins don't want to have to know what's plugged into every port in every switch when there are thousands of switches in the enterprise. Implement this and you have a help desk call that has to be escalated to the network team when someone tries to move a printer and it doesn't work. And those are just a few examples where it was just not feasible on a wired network. So it didn't really catch on much. However, once this was adapted to wireless and BYOD started to catch on, so did 802.1x.
In order to properly talk about 802.1x, I made a diagram:
The laptop (or printer or any other device needing network access) is the Supplicant. To be precise, the supplicant is actually a piece of software that understands 802.1x. It uses EAPoL to connect with the Authenticator to request access. The Authenticator uses RADIUS to authenticate the user with the Authentication Server. Most of this will be covered in more detail later (notice the ISE components). This connectivity can be either wired or wireless.
For devices with the Supplicant software, this is fine. For devices that don't have a supplicant (such as some printers), nothing will happen and the device will not connect to the network. For those ports, you need to configure MAB (MAC Authentication Bypass). This will use the MAC address of the device to authenticate (and gain access). Ports can be configured to use both and you can specify which takes priority.
A good guide to 802.1x can be found in the Cisco Docs. Remember that you normally have one device/MAC on a port. But you can configure the port to use multiple hosts, multidomain (voice and data domains) or multiauthentication modes.
I'm going to leave the topics of dot1x, MAB and web authentication (compare and contrast) for later. I'm trying to keep this part simple, yet remind myself of a few things. --> "When you enable port security and 802.1X on a port, 802.1X authenticates the port, and port security manages the number of MAC addresses allowed on that port, including that of the client." PAE stands for port access entity. Here is Cisco's Wired 802.1x Deployment Guide.
If you look at the config below and understand it, you're probably good for this topic.
Switch# configure terminal
Switch(config)# dot1x system-auth-control
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# interface fastethernet2/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end
Note that when this is wireless, there really is no "port" to configure. So you configure this on the WLC. Again, this specific configuration will come up again later in the blueprint. If you find yourself having trouble with the 802.1x material, I highly recommend any SIMOS training and the "AAA Identity Management Security" book. If you are fortunate enough to have an INE AAP, watch the SIMOS videos. If not, take a look at a Cisco Press SIMOS Study Guide. If you have recently taken that exam, this stuff should still be fresh in your mind and you should not have a problem with 802.1x.