4.3 Given a scenario, apply network security features, defense techniques, and solutions
Network Access Control (NAC)
📘CompTIA Network+ (N10-009)
What Is 802.1X?
802.1X is a port-based authentication standard.
It ensures that no device can access the network (wired or wireless) until it is authenticated.
In simple terms:
- When a device plugs into a switch port or connects to Wi-Fi,
- 802.1X checks who the user is or what the device is,
- and only then allows or blocks network access.
It protects networks from unauthorized access, especially from:
- Unknown devices
- Rogue users
- Compromised endpoints
Where 802.1X Is Used
- Enterprise wired networks (switch ports)
- Enterprise Wi-Fi networks
- VPN gateways (in some deployments)
Almost all corporate networks use 802.1X to ensure only trusted devices can connect.
Why 802.1X Is Important
802.1X helps achieve:
- Identity-based access (user/device must prove who they are)
- Stronger security than plain passwords or pre-shared keys
- Prevention of unauthorized devices joining the network
- Integration with directory services (such as Microsoft Active Directory)
- Logging and auditing of network access
In modern NAC systems, 802.1X is the foundation for secure device onboarding.
Three Key Components of 802.1X
802.1X works using three roles:
1. Supplicant (Client Device)
This is the device trying to connect to the network, such as:
- Laptop
- Workstation
- Smartphone
- Tablet
The supplicant runs software that handles authentication.
Example: Windows “Wired AutoConfig” or “Wireless AutoConfig” service.
2. Authenticator (Network Device)
This is usually a:
- Switch (for wired connections)
- Wireless Access Point (AP) (for Wi-Fi)
The authenticator:
- Controls the port
- Blocks network traffic until authentication succeeds
- Forwards authentication messages to the authentication server
It does not make authentication decisions — it only enforces them.
3. Authentication Server (RADIUS Server)
Most organizations use:
- RADIUS (Remote Authentication Dial-In User Service)
- Examples: FreeRADIUS, Cisco ISE, Microsoft NPS
The RADIUS server:
- Verifies credentials
- Approves or denies network access
- Sends the result to the authenticator
How 802.1X Authentication Works (Step-by-Step)
Below is an easy-to-understand sequence:
Step 1: Device Connects
A user connects a device:
- plugging into a switch port
- connecting to a secure Wi-Fi network
The port stays in unauthorized mode.
Step 2: Authenticator Initiates 802.1X
The switch/AP asks the device to authenticate using:
- EAP (Extensible Authentication Protocol)
Step 3: Supplicant Sends Credentials
The device sends information such as:
- Username/password
- Certificate
- Device identity
(using EAP methods like EAP-TLS, PEAP, etc.)
Step 4: RADIUS Server Verifies Credentials
The authentication server checks:
- User credentials against Active Directory
- Device certificates
- Security posture (if NAC posture checks are used)
Step 5: Authentication Result
The RADIUS server responds with:
- Accept → Device is allowed network access
- Reject → Device is blocked
- Quarantine → Limited access (optional in NAC)
Step 6: Switch/AP Opens the Port
If authentication is successful:
- The switch/AP changes the port to authorized mode
- The device gets full or limited network access depending on policies
Common EAP Methods (You Must Know for Exam)
You should understand at least the following:
1. EAP-TLS (Certificate-Based)
- Uses digital certificates
- Most secure method
- No passwords needed
2. PEAP (Protected EAP)
- Uses username & password
- Encrypted tunnel for authentication
- Widely used in enterprises
3. EAP-TTLS
- Similar to PEAP
- Supports multiple authentication types
802.1X in Wired Networks
In wired networks:
- Switch ports stay blocked until a device passes 802.1X
- Prevents unauthorized laptop plug-ins
- Prevents rogue devices joining the LAN
Ports can be configured for:
- 802.1X only
- 802.1X + MAC authentication fallback
- Guest VLAN if auth fails
802.1X in Wireless Networks (Wi-Fi)
Wi-Fi networks use 802.1X as part of:
- Enterprise WPA2-Enterprise
- WPA3-Enterprise
Benefits:
- No shared Wi-Fi password
- Individual authentication for every user/device
- Supports certificate-based security
Benefits of Using 802.1X
For the exam, memorize these:
✔ Prevents unauthorized access
✔ Strong authentication (certificates or credentials)
✔ Works for both wired & wireless networks
✔ Integrates with RADIUS + Active Directory
✔ Enables identity-based network policies
✔ Part of modern NAC solutions
Common Exam Terms Related to 802.1X
| Term | Meaning |
|---|---|
| 802.1X | Port-based network access control |
| Supplicant | Device requesting access |
| Authenticator | Switch/AP controlling access |
| Authentication Server | RADIUS server validating credentials |
| EAP | Authentication framework used in 802.1X |
| RADIUS | Protocol used for centralized authentication |
| WPA2-Enterprise / WPA3-Enterprise | Wi-Fi security modes using 802.1X |
| Certificate-based authentication | Strongest method using digital certificates |
| Guest VLAN | VLAN for unauthenticated users |
What You Need to Know for the Network+ Exam (Summary)
- 802.1X is a network access control standard.
- Uses supplicant, authenticator, authentication server.
- Relies on EAP for exchanging identity information.
- Typically authenticates via a RADIUS server.
- Used in both wired and wireless networks.
- Ensures Port-Based Access Control (PBAC).
- Prevents unauthorized devices from connecting.
- Supports methods like EAP-TLS, PEAP, EAP-TTLS.
- Often paired with WPA2/WPA3-Enterprise for Wi-Fi.
- Can assign VLANs based on authentication results.
If you understand these points clearly, you are fully prepared for the exam questions on 802.1X.
