Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Supplicant

Training Camp • Cybersecurity Glossary

What is Supplicant?

In IEEE 802.1X, the client device or software requesting network access that submits credentials through an authenticator (switch/AP) to an authentication server.

Glossary > Network Security > Supplicant

Supplicant — In IEEE 802.1X, the client device or software requesting network access that submits credentials through an

Understanding Supplicant

A supplicant is the client — a device and its software — that requests access to a network in an IEEE 802.1X port-based network access control exchange. It is the entity being authenticated: it presents credentials so the network can decide whether to grant access. The supplicant is one of three roles in 802.1X, alongside the authenticator and the authentication server.

In the 802.1X model, the supplicant connects to an authenticator — a switch port or wireless access point — which initially blocks all traffic except authentication frames. The supplicant and authenticator exchange Extensible Authentication Protocol (EAP) messages encapsulated in EAPOL (EAP over LAN). The authenticator relays those EAP messages to a backend authentication server (typically RADIUS), which validates the credentials and tells the authenticator to open or keep blocking the port.

The supplicant matters because it is where network access control begins: only an authenticated, policy-compliant client should reach the internal network. Properly configured supplicants prevent rogue or unauthorized devices from plugging into a wall jack or joining Wi-Fi and gaining a foothold. Weaknesses here — a device with no supplicant, weak EAP methods like EAP-MD5, or a supplicant that skips server-certificate validation — expose the network to bypass and credential-theft attacks, which is why methods such as EAP-TLS with mutual certificate validation are preferred.

For example, a corporate laptop running the native Windows or `wpa_supplicant` 802.1X client connects to an Ethernet port. Acting as the supplicant, it sends its certificate via EAP-TLS through the switch (authenticator) to a RADIUS server. Only after the server confirms the certificate does the switch move the port from the blocked state into the production VLAN, granting the laptop network access.

Learn More About Supplicant:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →