While 802.1x ensures that only authenticated users can access the network, it's not without its headaches and can be the bane of automation. In a perfect world, you'd be able to plug any device into any port and the port would respond properly. However, an 802.1X port in an unauthenticated state, by default, denies all traffic. Protocols such as LLDP and LLDP-MED, the link layer discovery protocols that are used by IP phones to request configuration information, can't pass LLDP traffic unless they authenticate first, for example, and other protocols are equally affected.

Several strategies can enable automation in an 802.1X environment. In networks where you control physical access, you can manually define which ports are 802.1X-enabled and ensure that hosts are connected appropriately. However, ensuring physical connections is difficult when you have a lot of hosts. Most switches can be configured to place a port into a default VLAN if a supplicant isn't responding to 802.1X, or a port may be moved to a VLAN and opened if 802.1X fails authentication. Alternatively, MAC-based authentication can be used to get an IP phone online.

If you plan to roll out network access control, 802.1X is often a good choice for enforcing control. As more companies upgrade their switching and gain experience with 802.1X, we expect to see broader adoption. However, there's no guarantee that guests will have 802.1X supplicants installed, so alternative authentication measures--such as a Web portal or redirect that forces a user to authenticate to the switch--are useful.