Configure and verify network access control mechanisms such as 802.1X, MAB, WebAuth

📘CompTIA Security+ (SY0-701)

---

Network Access Control (NAC) is all about controlling who or what can connect to a network. It ensures that only authorized devices and users can access network resources. For the exam, you need to understand three key mechanisms: 802.1X, MAB, and WebAuth.

---

1. 802.1X (Port-Based Network Access Control)

What it is:

• 802.1X is a standard method to authenticate devices before they can use the network.
• It is often called port-based authentication because it controls access to the network switch port or wireless AP.
• Works for both wired and wireless networks.

Key Components:

1. Supplicant (Device/Client) – The device trying to connect (e.g., a laptop).
2. Authenticator (Switch or Wireless AP) – The network device that blocks or allows access.
3. Authentication Server (RADIUS Server) – Checks the credentials (username/password, certificate, or token) and decides whether the device can access the network.

How it works:

1. Device connects to the switch port (or Wi-Fi AP).
2. Switch blocks all network traffic except 802.1X messages.
3. Device sends its credentials to the switch (supplicant → authenticator).
4. Switch forwards credentials to the RADIUS server.
5. RADIUS server verifies the credentials.
6. If valid, the switch allows full network access. If invalid, access is denied.

Common Exam Points:

• 802.1X supports EAP (Extensible Authentication Protocol) types like EAP-TLS, PEAP, EAP-MSCHAPv2.
• Can be integrated with Active Directory for username/password verification.
• Exam may ask to identify components or authentication flow.

---

2. MAB (MAC Authentication Bypass)

What it is:

• MAB is used when a device cannot do 802.1X authentication (like printers, IP phones, or cameras).
• Instead of credentials, MAB uses the device’s MAC address to identify it.

How it works:

1. Device connects to the network.
2. Switch tries 802.1X authentication. If it fails (or is not supported), it falls back to MAB.
3. Switch sends the device’s MAC address to the RADIUS server.
4. RADIUS server checks if MAC address is authorized:
   • If yes → device is allowed network access.
   • If no → device is blocked or placed in a guest VLAN.

Key Exam Notes:

• MAB is often used for IoT devices or legacy equipment that can’t authenticate.
• It is less secure than 802.1X because MAC addresses can be spoofed.
• Sometimes combined with posture assessment for better security.

---

3. Web Authentication (WebAuth)

What it is:

• WebAuth is a method where users authenticate through a web page (usually for guest or temporary access).
• Often used in guest networks or BYOD scenarios.

How it works:

1. User connects to the network.
2. Switch or wireless AP redirects the user’s web browser to a login page.
3. User enters credentials (like username/password or guest code).
4. Authentication server verifies credentials.
5. If successful → network access is granted.

Key Exam Points:

• Useful for temporary access without needing pre-configured credentials.
• Often paired with VLAN assignment or ACLs to limit what guests can access.
• Can be integrated with AAA server or captive portal.

---

4. How These Work Together in a Network

• 802.1X → Preferred, strong authentication (devices can prove identity).
• MAB → Backup when 802.1X is not supported.
• WebAuth → Temporary access, often for guests or BYOD.

Typical flow on a switch port:

1. Device tries 802.1X → if it works, full access granted.
2. If 802.1X fails → MAB checks MAC address → access granted/limited.
3. If MAC not allowed → WebAuth can give temporary/guest access.

---

5. Configuring and Verifying NAC on Cisco Devices

a) Basic 802.1X Configuration (Exam Focus)

interface GigabitEthernet1/0/1
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator

• authentication port-control auto → Enables 802.1X.
• dot1x pae authenticator → Makes the switch act as the authenticator.

b) Enabling MAB

interface GigabitEthernet1/0/1
 authentication fallback mab

• If 802.1X fails, the switch will try MAC address authentication.

c) Enabling WebAuth (Guest Access)

ip http server
ip http secure-server

• Configure VLANs or ACLs for guest users.
• Redirect users to the login portal.

d) Verifying Access

• Show commands to check status:
  • show dot1x interface → Checks 802.1X status per port.
  • show authentication sessions → Displays authentication type (802.1X, MAB, WebAuth) and result.
  • debug dot1x → For troubleshooting authentication.

---

6. Exam Tips

• Know the differences between 802.1X, MAB, and WebAuth.
• Remember order of authentication: 802.1X → MAB → WebAuth.
• Understand components of 802.1X: supplicant, authenticator, RADIUS server.
• Know verification commands on Cisco switches.
• Remember the security level:
  • 802.1X = strongest
  • MAB = medium (MAC-based)
  • WebAuth = weakest (temporary or guest)

---

✅ Summary Table for Quick Recall:

NAC Mechanism	Devices Supported	Security Level	How Access is Verified
802.1X	PCs, Laptops, Mobile	High	Credentials via RADIUS
MAB	Printers, Cameras, IoT	Medium	MAC address via RADIUS
WebAuth	Guests, BYOD devices	Low	Web login page credentials

---

This is everything you need to pass the 6.2 section of the exam, with simple explanations, clear examples, and Cisco configuration references.