Port Security
Authentication controls applied to individual switch interfaces and wireless access point connections that prevent any device from accessing network resources until it has successfully authenticated. Port security is not limited to wireless β it applies equally to wired Ethernet ports. The underlying protocol framework is EAP, and the access control standard is IEEE 802.1X. Port security closes the gap where physical connectivity alone was sufficient for network access β even a device plugged directly into an internal switch port gets no network access without valid credentials.
EAP β Extensible Authentication Protocol
An authentication framework that defines how authentication information is carried between a client device and an authentication server, without prescribing any specific authentication method. EAP is a flexible envelope: many different authentication methods (certificate-based, password-based, token-based) can be encapsulated inside EAP. This extensibility allows organizations and vendors to implement authentication techniques appropriate for their environment. EAP methods include EAP-TLS (certificates, most secure), EAP-TTLS (outer TLS tunnel + inner password), PEAP (most widely deployed, TLS tunnel + MSCHAPv2), and EAP-MD5 (weak, legacy). EAP is carried by 802.1X at the access control layer.
IEEE 802.1X
An IEEE standard that defines Port-based Network Access Control (NAC). 802.1X enforces a simple rule: a connected device gets no network access until it has successfully authenticated. The port is held in a blocked state for all traffic except EAP authentication messages until authentication succeeds. 802.1X works on both wired switch ports and wireless access points. It is the control plane: it makes and enforces the access decision. EAP is the authentication plane: it carries the credentials and verification exchange. Together, EAP over 802.1X is the foundation of enterprise network access control.
NAC β Port-based Network Access Control
The formal description of what IEEE 802.1X does: access to the network is controlled at the port level. A network port (switch interface or wireless association) is the enforcement point β no traffic passes until the device connected to that port has authenticated. NAC and 802.1X are used interchangeably in the Security+ context. In broader industry usage, NAC may also refer to systems that check device health posture (patch level, antivirus status) in addition to identity before granting access β but for the exam, NAC means 802.1X port-level authentication control.
Supplicant
The client device that is requesting access to the network in an 802.1X authentication exchange. The supplicant must provide credentials that the authentication server will verify before network access is granted. Examples: an employee's laptop, smartphone, workstation, or IoT device. The supplicant runs 802.1X client software (built into Windows, macOS, iOS, Android). It responds to authentication challenges from the authenticator with the appropriate credentials for the configured EAP method β whether a username/password pair, a digital certificate, or another credential type.
Authenticator
The network device that controls access to the network in an 802.1X exchange β typically a switch or wireless access point. The authenticator is a relay and enforcer: it intercepts the supplicant's connection attempt, challenges the supplicant for credentials, forwards those credentials to the authentication server, and then acts on the server's decision (open the port for normal traffic on success, keep the port blocked on failure). Critically, the authenticator does NOT validate credentials β it has no knowledge of passwords or certificates. All validation is done by the authentication server. The authenticator only enforces the access decision returned by the server.
Authentication Server
The back-end system that validates the credentials presented by the supplicant during 802.1X authentication. It compares credentials against an identity database (Active Directory, LDAP directory, RADIUS database) and returns an Access-Accept or Access-Reject decision to the authenticator. Typically implemented as a RADIUS server that integrates with an enterprise directory service. The authentication server is the only component in the 802.1X exchange that actually knows whether credentials are valid. It centralizes all authentication intelligence β switches and access points across the organization defer to this single authority.
RADIUS β Remote Authentication Dial-In User Service
The most common protocol used to implement the authentication server role in 802.1X deployments. RADIUS handles three functions: Authentication (is this identity valid?), Authorization (what access should this device receive?), and Accounting (log this connection event β start, stop, duration). Authenticators (switches and access points) communicate with the RADIUS server using the RADIUS protocol. The RADIUS server typically delegates credential verification to Active Directory or an LDAP directory. RADIUS enables centralized authentication policy management: one RADIUS server can serve thousands of authenticators across an enterprise network.
EAP-TLS
An EAP method that performs mutual certificate-based authentication β both the client device and the authentication server present digital certificates. The client verifies the server's certificate (ensuring it is talking to the legitimate authentication server); the server verifies the client's certificate (ensuring the device is an authorized corporate asset). No password is ever transmitted. EAP-TLS is considered the most secure EAP method because it eliminates password theft risk and provides strong device identity verification. The deployment cost is higher: every client device must be issued a certificate, requiring a certificate infrastructure (PKI). Best for high-security environments where device-level authentication matters as much as user identity.
PEAP β Protected EAP
An EAP method that creates a TLS-encrypted outer tunnel using only a server-side certificate (no client certificate required), then carries an inner authentication exchange β typically MSCHAPv2 (username/password) β inside the protected tunnel. The user's credentials are never exposed in plaintext because they travel inside the TLS tunnel. PEAP is the most widely deployed enterprise EAP method because it requires no client certificates (significantly simpler deployment than EAP-TLS), is supported natively by Windows, macOS, iOS, and Android, and provides strong credential protection. The trade-off vs. EAP-TLS: PEAP authenticates the user by password rather than the device by certificate β a stolen password credential can authenticate from any device.
MAC Authentication Bypass (MAB)
A workaround for devices that do not support 802.1X supplicant software (legacy printers, IP cameras, building management systems, medical devices). Instead of an EAP authentication exchange, the authenticator sends the device's MAC address to the RADIUS server, which checks it against a database of pre-approved MAC addresses. If the MAC address is registered, access is granted. MAB is inherently weaker than 802.1X because MAC addresses can be spoofed β an attacker who knows an approved MAC address can impersonate the device. MAB should be used only for devices that genuinely cannot support 802.1X, not as a general alternative.