802.1X

5.4 Configure and verify wireless security features

📘CCNP Encore (350-401-ENCORE-v1.1)

1. What is 802.1X?

802.1X is a network access control protocol used to secure wireless and wired networks.

  • It ensures that only authorized users or devices can access the network.
  • It is often called “port-based authentication” because it controls access at the network port (or wireless access point).
  • It works with RADIUS servers to check credentials.

Think of it like a security checkpoint: before a device can access the network, it has to prove its identity.

2. Key Components of 802.1X

To understand 802.1X, you need to know the three main roles involved:

  1. Supplicant (Client Device)
    • The device that wants to connect to the network (e.g., a laptop, phone, or tablet).
    • It must provide credentials (username/password, certificate, or token).
  2. Authenticator (Network Device)
    • Usually a Wireless Access Point (WAP) or switch.
    • It acts as a middleman between the client and the authentication server.
    • It blocks all network access until the supplicant is verified.
  3. Authentication Server (RADIUS Server)
    • A server that validates the user/device credentials.
    • Most commonly a RADIUS server using protocols like PEAP, EAP-TLS, or EAP-FAST.

3. How 802.1X Works (Step by Step)

  1. Connection Attempt
    • The client (supplicant) tries to connect to the wireless network.
    • The access point (authenticator) blocks normal network access and starts authentication.
  2. Identity Request
    • The AP asks the client for identity information (like username or certificate).
  3. Credential Submission
    • The client sends credentials to the AP.
  4. Forward to RADIUS
    • The AP forwards credentials to the RADIUS server securely.
  5. Authentication
    • The RADIUS server verifies the credentials.
    • If valid, it sends an “accept” message.
    • If invalid, it sends a “reject” message.
  6. Network Access
    • Once accepted, the AP allows the client to access the network.
    • The client is now part of the secure network.

Exam Tip: Remember the three roles: Supplicant → Authenticator → Authentication Server.

4. EAP Types Used in 802.1X

802.1X uses EAP (Extensible Authentication Protocol) to handle authentication. Important EAP types to know for the exam:

EAP TypeDescription
EAP-TLSUses digital certificates on both client and server. Most secure.
PEAP (Protected EAP)Encapsulates EAP in a TLS tunnel, only server needs a certificate.
EAP-FASTCisco method using Protected Access Credentials (PAC) instead of certificates.
EAP-TTLSSimilar to PEAP but can use older authentication methods inside TLS tunnel.

Exam Tip: For wireless security, PEAP and EAP-TLS are the most commonly used.

5. Why 802.1X is Important in Wireless Networks

  • Prevents unauthorized access: Devices must authenticate before getting network access.
  • Supports strong authentication methods: Passwords, certificates, or tokens.
  • Integrates with enterprise RADIUS servers: Centralized user/device control.
  • Works with VLANs: Assigns users to specific VLANs based on credentials.
  • Logging and auditing: Every connection attempt is recorded for security auditing.

6. 802.1X Deployment in IT Environments

  • In corporate wireless networks, 802.1X is used to secure Wi-Fi.
  • Access points are configured to communicate with a RADIUS server.
  • Users enter their username/password or certificate to connect.
  • Network policies can dynamically allow or block access, even assign VLANs per role.

Example for IT environment: A company Wi-Fi network uses 802.1X with PEAP. Employees must log in with their corporate credentials. Guests are denied access unless explicitly allowed.

7. Basic Exam Configuration Concepts

For CCNP, you should know:

  1. Enable 802.1X on a Wireless AP dot1x system-auth-control interface Dot11Radio0 dot1x port-control auto
  2. Configure RADIUS Server on AP/WLC radius server RADIUS1 address ipv4 192.168.1.10 auth-port 1812 acct-port 1813 key MySecretKey
  3. Assign VLAN Based on Authentication
    • Dynamic VLAN assignment is done through RADIUS attributes.

Exam Tip: You don’t need to memorize every command, but know the general steps: enable 802.1X, configure port/control on AP, point to RADIUS server, verify authentication.

8. Verification Commands

  • On Cisco WLC: show dot1x all show aaa servers
  • On Cisco AP: show dot1x interface show dot1x stats
  • On RADIUS Server: Check logs for authentication success/failure.

9. Key Exam Points to Remember

  • 802.1X is port-based network access control.
  • Three roles: Supplicant, Authenticator, Authentication Server.
  • Uses EAP types (EAP-TLS, PEAP, EAP-FAST).
  • RADIUS server verifies credentials.
  • Allows VLAN assignment and logging per user.
  • Commands focus on enabling dot1x, configuring RADIUS, and verifying authentication.

Summary for Students:

802.1X is the foundation of enterprise wireless security. Think “no authentication, no access”. The AP blocks the device until a RADIUS server confirms the credentials. It’s flexible, secure, and integrates with VLANs and policies. For exams, focus on roles, EAP types, how it works step-by-step, and basic commands for enabling and verifying 802.1X.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by