802.1X Three-Component Model β Roles and Responsibilities
| Component | Role | Device Examples | What It Does | What It Does NOT Do |
|---|---|---|---|---|
| Supplicant | Client requesting access | Laptop, smartphone, workstation, IoT device | Provides credentials in response to authentication challenges; initiates connection | Does not control port state; does not validate any credentials |
| Authenticator | Gatekeeper / relay | Network switch, wireless access point | Blocks port until auth completes; relays EAP messages between supplicant and auth server; enforces the server's access decision | Does NOT validate credentials; has no knowledge of passwords or certificates |
| Authentication Server | Credential validator | RADIUS server (Microsoft NPS, FreeRADIUS, Cisco ISE) | Compares received credentials against identity database; returns Access-Accept or Access-Reject to authenticator | Does not control physical port state; delegates that to the authenticator |
802.1X Authentication Flow β Detailed Step Sequence
Supplicant Authenticator (Switch/AP) Authentication Server (RADIUS)
| | |
|--- connects to port -------->| |
| (port BLOCKED β EAP only) | |
|<-- EAP-Request/Identity -------| |
|--- EAP-Response/Identity ----->| |
| |--- RADIUS Access-Request -------->|
| |<-- RADIUS Access-Challenge --------|
|<-- EAP-Request (challenge) ----| |
|--- EAP-Response (credentials)->| |
| |--- RADIUS Access-Request -------->|
| |<-- RADIUS Access-Accept -----------|
|<-- EAP-Success ----------------| |
| (port OPEN β normal traffic) | |
EAP Method Comparison
| EAP Method | Client Certificate Required | Server Certificate Required | Credential Type | Security Level | Deployment Complexity |
|---|---|---|---|---|---|
| EAP-TLS | Yes β every client device needs a cert | Yes | Digital certificate (mutual) | Highest β no password; device identity verified | High β requires PKI, cert provisioning on every device |
| EAP-TTLS | No β server cert only | Yes | Password carried inside TLS tunnel | High β password protected by outer TLS | Medium β no client certs; needs supplicant config |
| PEAP | No β server cert only | Yes | MSCHAPv2 (username/password) inside TLS tunnel | High β password protected by outer TLS | Low β natively supported by all major OS; most common |
| EAP-MD5 | No | No | MD5 hash of password | Weak β no TLS protection; no mutual auth; vulnerable to offline cracking | Low β simple but rarely used in modern deployments |
Centralized Authentication System Roles in 802.1X
| System | Role in 802.1X | What It Provides | Common Deployment |
|---|---|---|---|
| RADIUS | Authentication server protocol (authenticator β auth server communication) | Authentication, Authorization, Accounting (AAA); returns Access-Accept/Reject + VLAN assignments | Microsoft NPS, Cisco ISE, FreeRADIUS; integrated with AD |
| LDAP | Directory query protocol (RADIUS β directory integration) | User and device lookup; credential validation against directory; group membership for authorization | Active Directory (AD uses LDAP); OpenLDAP |
| TACACS+ | Alternative AAA protocol; more common for network device admin auth | Per-command authorization; separates auth/authz/accounting; full payload encryption | Cisco-centric environments; network admin access control |
| Kerberos | Underlying credential validation in AD environments | Ticket-based authentication; single sign-on integration; domain membership verification | Active Directory; all domain-joined Windows environments |
Wired vs. Wireless Port Security
| Attribute | Wired 802.1X (Switch Ports) | Wireless 802.1X (Access Points) |
|---|---|---|
| Physical access risk | Requires physical access to cable/port; attacker must be on premises | Wireless signal extends beyond physical walls; any nearby device can attempt association |
| Without port security | Any device plugged into port gets full network access immediately | WPA2-Personal: password shared with all users; no per-device authentication |
| With 802.1X | Port blocked until per-device authentication succeeds; rogue devices get no access | WPA2/WPA3-Enterprise: per-user/per-device authentication; no shared secret |
| Common threat prevented | Rogue device plugged into conference room/lobby/data center port | Unauthorized device associating with corporate SSID from parking lot |
| Device challenge (legacy) | Older switches may not support 802.1X; older devices lack supplicant software | Older devices may support only WPA2-Personal; no 802.1X supplicant capability |
Port Security Benefits vs. Deployment Challenges
| Security Benefit | Deployment Challenge |
|---|---|
| Unauthorized access prevention β only authenticated devices connect | Deployment complexity β every switch port, AP, RADIUS server must be configured |
| Accountability β every connection generates a RADIUS accounting log entry | Legacy device incompatibility β printers, cameras, embedded systems lack 802.1X support (require MAB) |
| Dynamic policy enforcement β VLAN assignment, ACL by user identity | Central infrastructure dependency β RADIUS server outage = no new authentications |
| Insider threat reduction β authorized device + valid credentials both required | Misconfiguration risk β wrong config can lock out legitimate users or fail silently |
| Integration with existing identity β reuses AD credentials; no separate user database | Staged rollout required β must be piloted and tested before enterprise-wide enforcement |