3.2 Secure enterprise infrastructure
📘CompTIA Security+ (SY0-701)
Port Security in Enterprise Networks
Port security is a method to control access to network devices through physical ports on switches or access points. Its main goal is to prevent unauthorized devices from connecting to your network.
When you implement port security, you make sure that only trusted devices (like employee laptops or company phones) can access your network, and any unknown device is blocked.
There are a few standards and protocols used for this, but two key ones are:
- 802.1X
- EAP (Extensible Authentication Protocol)
1. 802.1X Standard
What it is:
- 802.1X is a network access control protocol.
- It is used on wired and wireless networks to ensure that only authenticated users/devices can connect.
- Think of it as a gatekeeper: the network port will not allow traffic until the device proves it’s allowed.
How it works:
802.1X uses three main components:
- Supplicant (Client device):
- This is the device trying to connect (e.g., laptop, phone).
- It “asks” the network for access.
- Authenticator (Switch or Wireless Access Point):
- This is the network device that controls the port.
- It acts like a door. It won’t let the supplicant access the network until it is verified.
- Authentication Server (RADIUS server):
- This server checks the credentials of the supplicant (like a username/password or certificate).
- If the credentials are valid, it tells the authenticator to allow access.
Example flow in a network:
- An employee connects a laptop to a company switch port.
- The switch (authenticator) blocks normal network access and asks the laptop (supplicant) to authenticate.
- The laptop sends credentials to the switch.
- The switch forwards credentials to the RADIUS server.
- RADIUS server checks credentials.
- If valid → switch opens the port.
- If invalid → switch blocks network access.
✅ Exam tip: Know the roles of supplicant, authenticator, and authentication server.
2. EAP (Extensible Authentication Protocol)
What it is:
- EAP is a framework used inside 802.1X for authentication.
- It allows different methods of verifying the user/device.
Key idea: EAP itself doesn’t authenticate—it defines how authentication is done.
Common EAP types used in enterprise networks:
| EAP Type | Description |
|---|---|
| EAP-TLS | Uses digital certificates on client and server for strong authentication. |
| EAP-PEAP | Encapsulates credentials inside a secure TLS tunnel, often using username/password. |
| EAP-TTLS | Similar to PEAP but allows older authentication methods inside the secure tunnel. |
| EAP-MD5 | Simple password-based method (less secure, rarely used today). |
How it works with 802.1X:
- The supplicant initiates EAP communication with the authenticator.
- EAP sends authentication info to the RADIUS server.
- The server validates and responds with accept/reject.
✅ Exam tip: Remember EAP is the authentication method; 802.1X is the protocol controlling access.
Why Port Security with 802.1X & EAP Matters
- Prevents unauthorized access – Only trusted devices can connect.
- Secures both wired and wireless networks – You can enforce security at every switch port or Wi-Fi AP.
- Supports multiple authentication methods – Certificates, usernames/passwords, smart cards.
- Integrates with RADIUS servers – Centralized authentication makes management easier.
Quick Review for the Exam
- Port Security: Controls which devices can connect to a network port.
- 802.1X: Protocol used to enforce authentication before allowing network access.
- EAP: Authentication framework used by 802.1X; allows multiple methods (TLS, PEAP, TTLS).
- Roles in 802.1X:
- Supplicant: Device requesting access.
- Authenticator: Switch or AP controlling port access.
- Authentication Server: Usually RADIUS; verifies credentials.
Tip: In multiple-choice questions, 802.1X + EAP is often the “enterprise network access control” solution, especially for wired/wireless ports.
