Chapter 65 Β· Concepts

Port Security β€” Concept Reference

802.1X component roles, authentication flow, EAP method comparison, centralized auth systems, and deployment considerations in structured reference form.

802.1X Three-Component Model β€” Roles and Responsibilities

ComponentRoleDevice ExamplesWhat It DoesWhat It Does NOT Do
SupplicantClient requesting accessLaptop, smartphone, workstation, IoT deviceProvides credentials in response to authentication challenges; initiates connectionDoes not control port state; does not validate any credentials
AuthenticatorGatekeeper / relayNetwork switch, wireless access pointBlocks port until auth completes; relays EAP messages between supplicant and auth server; enforces the server's access decisionDoes NOT validate credentials; has no knowledge of passwords or certificates
Authentication ServerCredential validatorRADIUS server (Microsoft NPS, FreeRADIUS, Cisco ISE)Compares received credentials against identity database; returns Access-Accept or Access-Reject to authenticatorDoes not control physical port state; delegates that to the authenticator

802.1X Authentication Flow β€” Detailed Step Sequence

Supplicant              Authenticator (Switch/AP)        Authentication Server (RADIUS)
    |                              |                                |
    |--- connects to port -------->|                                |
    |  (port BLOCKED β€” EAP only)   |                                |
    |<-- EAP-Request/Identity -------|                                |
    |--- EAP-Response/Identity ----->|                                |
    |                                |--- RADIUS Access-Request -------->|
    |                                |<-- RADIUS Access-Challenge --------|
    |<-- EAP-Request (challenge) ----|                                |
    |--- EAP-Response (credentials)->|                                |
    |                                |--- RADIUS Access-Request -------->|
    |                                |<-- RADIUS Access-Accept -----------|
    |<-- EAP-Success ----------------|                                |
    |  (port OPEN β€” normal traffic)  |                                |

EAP Method Comparison

EAP MethodClient Certificate RequiredServer Certificate RequiredCredential TypeSecurity LevelDeployment Complexity
EAP-TLSYes β€” every client device needs a certYesDigital certificate (mutual)Highest β€” no password; device identity verifiedHigh β€” requires PKI, cert provisioning on every device
EAP-TTLSNo β€” server cert onlyYesPassword carried inside TLS tunnelHigh β€” password protected by outer TLSMedium β€” no client certs; needs supplicant config
PEAPNo β€” server cert onlyYesMSCHAPv2 (username/password) inside TLS tunnelHigh β€” password protected by outer TLSLow β€” natively supported by all major OS; most common
EAP-MD5NoNoMD5 hash of passwordWeak β€” no TLS protection; no mutual auth; vulnerable to offline crackingLow β€” simple but rarely used in modern deployments

Centralized Authentication System Roles in 802.1X

SystemRole in 802.1XWhat It ProvidesCommon Deployment
RADIUSAuthentication server protocol (authenticator β†’ auth server communication)Authentication, Authorization, Accounting (AAA); returns Access-Accept/Reject + VLAN assignmentsMicrosoft NPS, Cisco ISE, FreeRADIUS; integrated with AD
LDAPDirectory query protocol (RADIUS β†’ directory integration)User and device lookup; credential validation against directory; group membership for authorizationActive Directory (AD uses LDAP); OpenLDAP
TACACS+Alternative AAA protocol; more common for network device admin authPer-command authorization; separates auth/authz/accounting; full payload encryptionCisco-centric environments; network admin access control
KerberosUnderlying credential validation in AD environmentsTicket-based authentication; single sign-on integration; domain membership verificationActive Directory; all domain-joined Windows environments

Wired vs. Wireless Port Security

AttributeWired 802.1X (Switch Ports)Wireless 802.1X (Access Points)
Physical access riskRequires physical access to cable/port; attacker must be on premisesWireless signal extends beyond physical walls; any nearby device can attempt association
Without port securityAny device plugged into port gets full network access immediatelyWPA2-Personal: password shared with all users; no per-device authentication
With 802.1XPort blocked until per-device authentication succeeds; rogue devices get no accessWPA2/WPA3-Enterprise: per-user/per-device authentication; no shared secret
Common threat preventedRogue device plugged into conference room/lobby/data center portUnauthorized device associating with corporate SSID from parking lot
Device challenge (legacy)Older switches may not support 802.1X; older devices lack supplicant softwareOlder devices may support only WPA2-Personal; no 802.1X supplicant capability

Port Security Benefits vs. Deployment Challenges

Security BenefitDeployment Challenge
Unauthorized access prevention β€” only authenticated devices connectDeployment complexity β€” every switch port, AP, RADIUS server must be configured
Accountability β€” every connection generates a RADIUS accounting log entryLegacy device incompatibility β€” printers, cameras, embedded systems lack 802.1X support (require MAB)
Dynamic policy enforcement β€” VLAN assignment, ACL by user identityCentral infrastructure dependency β€” RADIUS server outage = no new authentications
Insider threat reduction β€” authorized device + valid credentials both requiredMisconfiguration risk β€” wrong config can lock out legitimate users or fail silently
Integration with existing identity β€” reuses AD credentials; no separate user databaseStaged rollout required β€” must be piloted and tested before enterprise-wide enforcement