Sharing notes from my ongoing learning journey — what I build, break and understand along the way.
Network Access Control (NAC) & 802.1X: A Technical Review for System Integrators
A Comprehensive Review of IEEE 802.1X and Network Access Control (NAC) Architecture
During my training as an IT Specialist for System Integration, I have had the opportunity to examine how the concept of network security has evolved over the years. The traditional security approach relied on the “Castle-and-Moat” model. in this model, the network perimeter was protected by firewalls and IPS systems, while the interior of the network was considered a “safe zone.”
However, current literature and cybersecurity reports indicate that this approach is no longer sufficient. The “Zero Trust” architecture is built on the assumption that threats can originate not only from the outside but also from within (Insider Threats). An employee’s infected laptop or an unauthorized device plugged into an Ethernet port in a meeting room by a visitor can compromise the entire network.
In this context, my research has focused on the IEEE 802.1X protocol and Network Access Control (NAC) architecture, which represent the most advanced standard for physical port security. This article examines the theoretical infrastructure, components, EAP types, and implementation methodologies of this protocol in enterprise networks.
1. Fundamentals of the IEEE 802.1X Standard
IEEE 802.1X is an IEEE standard that provides “Port-Based Network Access Control” for Local Area Networks (LAN) and Wireless Networks (WLAN).
Technically, this protocol operates at Layer 2 (Data Link Layer) of the OSI Reference Model. Its fundamental purpose is to prevent Layer 3 (Network Layer – IP) traffic from starting until the authentication process is complete, even if a device has established a physical connection (Link Up).
1.1. Controlled and Uncontrolled Port Concept
In the 802.1X architecture, a Switch port is logically divided into two:
- Uncontrolled Port: This channel is always open but allows only EAPOL (EAP over LAN) traffic to pass. The device submits its identity through this channel.
- Controlled Port: This channel is in a “Blocked” state by default. Normal data traffic (TCP/IP, DHCP, HTTP, etc.) flows through here. However, this gate remains closed until authentication is successful.
2. The Three Pillars of 802.1X Architecture
This protocol defines three distinct roles to manage the “Authentication” process. In literature, this structure is also referred to as the AAA (Authentication, Authorization, Accounting) framework.
A. Supplicant (Client)
The end-user device (Endpoint) requesting network access.
- Function: To package and present identity credentials (Username/Password, Digital Certificate, or MAC address) to the network.
- Software Support:
- Windows: “Wired AutoConfig” service.
- Linux/Android: wpa_supplicant service.
- macOS: Built-in 802.1X client.
B. Authenticator
Usually an Ethernet Switch or Wireless Access Point located at the network edge.
- Function: Acts as a “Gateway” or “Proxy” between the Client and the Server. It does not verify the credentials itself; it merely forwards this information to the server and enforces the “Open Port” or “Block Port” command received from the server.
C. Authentication Server
The center of the decision-making mechanism. Ideally, this is a server using the RADIUS (Remote Authentication Dial-In User Service) protocol.
- Function: Compares the incoming credentials against its database (Active Directory, LDAP, SQL). It also determines which VLAN the user will be assigned to or which ACL (Access Control List) rules will be applied.
- Examples: Cisco ISE (Identity Services Engine), Microsoft NPS (Network Policy Server), FreeRADIUS, Aruba ClearPass.
3. Protocol Depth: EAP (Extensible Authentication Protocol)
A critical point I realized during my research is this: 802.1X is not an encryption protocol; it is a carrier. The element that is carried within and truly determines security is the EAP protocol.
EAP has a very flexible structure, and various types exist to meet different security requirements. The table below presents a comparative analysis of EAP types commonly used in the industry:
Table 1: Comparative Analysis of EAP Types
| EAP Type | Full Name | Certificate Requirement | Security Level | Description and Use Case |
| EAP-MD5 | Message Digest 5 | None | Low | Performs only one-way hash authentication. The server identity is not verified. Vulnerable to Man-in-the-Middle (MitM) attacks. Not recommended for enterprise networks. |
| LEAP | Lightweight EAP | None | Low | An older protocol developed by Cisco. Vulnerable to Dictionary Attacks. No longer in use. |
| PEAP-MSCHAPv2 | Protected EAP | Server Only | Medium/High | Industry Standard. The server establishes a secure TLS tunnel using its own certificate. The username and password are sent through this tunnel. Easy to deploy as no client certificate is required. |
| EAP-TTLS | Tunneled TLS | Server Only | Medium/High | Similar to PEAP but allows older protocols (like PAP, CHAP) to be carried within the tunnel. Preferred for some legacy devices. |
| EAP-TLS | Transport Layer Security | Client + Server | Very High | Gold Standard. Provides Mutual Authentication. Both the server and the client must have a certificate. No passwords are used. Integrates with Smart Cards. |
| EAP-FAST | Flexible Authentication via Secure Tunneling | None (Uses PAC) | Medium | Uses digital keys called PAC (Protected Access Credential) instead of certificates. Preferred when certificate management is difficult. |
4. EAPOL and RADIUS Packet Flow: Step-by-Step Analysis
According to my theoretical examinations, a microscopic analysis of the communication traffic (4-Way Handshake) that occurs from the moment a device plugs in the cable is vital to understanding how the system works.
This process occurs in four main stages:
Step 1: Initiation
- The Switch detects the port status as “Link Up”.
- The Switch sends an EAP-Request/Identity packet to the client.
- Note: If the client does not have 802.1X software, it cannot reply to this packet, and the process times out.
Step 2: Identity Response
- The Client (Supplicant) sends an EAP-Response/Identity packet containing its credentials (e.g.,
intern@company.local) to the Switch. - The Switch receives this packet, decapsulates it from the Ethernet frame, converts it into a RADIUS Access-Request packet, and sends it to the Authentication Server (AAA Server) via UDP port 1812.
Step 3: Verification Loop (Challenge/Response)
- The Server decides on the authentication method (e.g., PEAP).
- The Server sends an “Access-Challenge” to the client via the Switch.
- An encrypted tunnel is established between the Client and Server according to the selected EAP type. At this stage, certificates are checked, and password hashes are compared.
Step 4: Authorization
If the information is correct, the Server sends a RADIUS Access-Accept packet to the Switch. This packet not only contains the “Accept” message but may also include critical attributes such as:
- Tunnel-Private-Group-ID: The VLAN ID to be assigned to the client.
- Filter-Id: The name of the ACL (Access Control List) to be applied.
Upon receiving this message, the Switch changes the port status from “Unauthorized” to “Authorized” and permits DHCP traffic.
5. Exceptional Cases: MAB (MAC Authentication Bypass)
One of the biggest challenges for a network administrator is managing “dumb” devices (IP Cameras, Printers, Card Readers, legacy PLC devices) that lack 802.1X capability.
These devices cannot respond to EAP requests. In such cases, the industrial solution is MAB.
MAB Working Principle:
- The Switch sends the EAP-Request packet (e.g., 3 times).
- The device does not respond (Timeout occurs).
- The Switch reads the source MAC Address of the device.
- The Switch sends this MAC address to the RADIUS server as both the username and password.
- If the MAC address exists in the database, the port is opened.
Security Warning: Research shows that MAC addresses can be easily copied (Spoofing). Therefore, MAB is not considered as secure as 802.1X and should only be used for mandatory devices in restricted VLANs.
6. Dynamic VLAN Assignment: Liberation from Static Structure
In traditional network management, port configurations are static. For instance, all ports on the 1st floor are set to “Marketing VLAN,” and all ports on the 2nd floor are set to “R&D VLAN.” This makes moving personnel difficult.
The Dynamic VLAN Assignment feature that comes with 802.1X radically changes this structure. The VLAN membership of a port is determined instantaneously based on the identity of the person at the end of the cable plugged into the port.
Example Scenario:
- User A (Engineer): Plugs cable into any port -> RADIUS server sees “Engineering Group” -> Orders Switch: “Assign this port to VLAN 20”.
- User B (Accountant): Plugs cable into the same port -> RADIUS server sees “Finance Group” -> Orders Switch: “Assign this port to VLAN 30”.
This feature introduces the concept of “Colorless Ports”; meaning the port has no pre-defined color (VLAN), but takes on a color based on the user.
7. Theoretical Configuration Structure on Cisco IOS
One of the most important points a System Integrator candidate needs to know is how this theory is applied to devices (Switches). According to Cisco documentation, a basic 802.1X configuration consists of the following command blocks:
Enabling the AAA Service
Switch(config)# aaa new-model
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# aaa authorization network default group radius
aaa new-model: Disables the device’s old security model and enables the AAA model.group radius: Specifies that external RADIUS servers will be used for authentication.
Defining the RADIUS Server
Switch(config)# radius-server host 10.1.1.50 auth-port 1812 key SecretKey123
Interface Configuration
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# authentication port-control auto
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# authentication order dot1x mab
Switch(config-if)# authentication priority dot1x mab
authentication port-control auto: The most critical line determining the default behavior of the port. It ensures the port starts automatically locked.authentication order dot1x mab: Try 802.1X (secure) first; if it fails, try MAB (MAC address).
8. AAA and RADIUS Attributes
Communication between the RADIUS server and the Switch is maintained via Attribute-Value Pairs (AVP). Standard attributes frequently seen in Wireshark analyses include:
Table 2: Common RADIUS Attributes
| Attribute ID | Attribute Name | Description |
| 1 | User-Name | The username sent by the client. |
| 4 | NAS-IP-Address | The IP address of the Switch sending the request. |
| 31 | Calling-Station-Id | The MAC address of the client. |
| 61 | NAS-Port-Type | Connection type (e.g., Ethernet or Wireless-802.11). |
| 81 | Tunnel-Private-Group-ID | The VLAN number used for Dynamic VLAN assignment. |
9. Conclusion and Sectoral Evaluation
This theoretical review of Network Access Control (NAC) and the 802.1X standard clearly demonstrates that modern network security is not just about connecting devices, but about managing, auditing, and monitoring these connections.
Especially in environments where critical data is processed, such as industrial facilities, hospitals, and financial institutions, port security is not an option but a necessity. As an IT Specialist for System Integration (Fachinformatiker Systemintegration) trainee, grasping the working logic, packet structures, and server-client relationships of these protocols plays a major role in my ability to make sense of complex Enterprise Networks.