Fatskills
Practice. Master. Repeat.
Study Guide: 802.1X and NAC, Network Access Control - Zero-Fluff Study Guide
Source: https://www.fatskills.com/comptia-security-/chapter/tech-8021x-nac-network-access-control-zero-fluff-study-guide

802.1X and NAC, Network Access Control - Zero-Fluff Study Guide

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~8 min read

802.1X & NAC (Network Access Control) – Zero-Fluff Study Guide

For CompTIA Security+ Engineers Who Need to Deploy, Troubleshoot, or Secure Networks

1. What This Is & Why It Matters

802.1X is the IEEE standard for port-based network access control (PNAC). It forces devices to authenticate before they get an IP address or access to the network. Network Access Control (NAC) is the broader framework that enforces security policies (e.g., "Is this laptop patched? Does it have AV?") before allowing access.

Why This Matters in Production

  • Without 802.1X/NAC, any device (rogue AP, infected laptop, contractor’s phone) can plug into your network and start scanning for vulnerabilities.
  • With 802.1X/NAC, you enforce:
  • Authentication (Who are you?)
  • Authorization (What are you allowed to do?)
  • Posture assessment (Is your device compliant with security policies?)
  • Real-world scenario: You’re a security engineer at a hospital. A nurse plugs in a personal laptop to charge it, but the laptop has ransomware. Without NAC, the malware spreads to patient records. With NAC, the laptop is quarantined until it passes a security check.

If you ignore 802.1X/NAC, you’re running a network with no front door.

2. Core Concepts & Components

Term Definition Production Insight
Supplicant The device (laptop, phone, IoT) trying to connect to the network. If the supplicant doesn’t support 802.1X (e.g., old printers), you’ll need a MAC bypass (but this is a security risk).
Authenticator The network device (switch, AP, VPN gateway) that blocks traffic until authentication succeeds. Most enterprise switches (Cisco, HP, Juniper) support 802.1X. If yours doesn’t, replace it.
Authentication Server (RADIUS) The server (FreeRADIUS, Microsoft NPS, Cisco ISE) that validates credentials. Never use default RADIUS shared secrets—they’re often "radius123" in vendor docs.
EAP (Extensible Authentication Protocol) The framework for authentication methods (EAP-TLS, PEAP, EAP-TTLS). EAP-TLS (certificate-based) is the gold standard—but requires PKI. PEAP (password-based) is easier but less secure.
NAC Policy Rules defining who/what gets access (e.g., "Only domain-joined laptops with AV can access VLAN 10"). Start with a simple policy (e.g., "Block all unknown devices") and refine later.
Posture Assessment Checks if a device meets security requirements (AV installed, firewall enabled, OS patched). False positives are common—test policies in a lab first.
Remediation What happens if a device fails posture checks (e.g., quarantined to a "guest" VLAN with limited access). Always have a remediation VLAN—otherwise, failed devices get no network access at all.
MAC Bypass Allows devices that don’t support 802.1X (e.g., printers, VoIP phones) to connect using their MAC address. This is a security hole—only use for devices that can’t do 802.1X.
VLAN Assignment Dynamically assigns a VLAN based on authentication (e.g., "Employees-VLAN 10, Guests-VLAN 20"). Misconfigured VLANs = network outages—test with a single port first.
CoA (Change of Authorization) Allows the RADIUS server to dynamically change a device’s access (e.g., "This device just failed a scan—quarantine it!"). Critical for NAC—without CoA, you can’t enforce policies after initial login.

3. Step-by-Step Hands-On: Deploying 802.1X on a Cisco Switch

Prerequisites

  • A Cisco switch (e.g., Catalyst 2960, 3750) with IOS 15.0+.
  • A RADIUS server (FreeRADIUS on Linux or Microsoft NPS on Windows).
  • A supplicant (Windows 10/11, macOS, or Linux with wpa_supplicant).
  • A test VLAN (e.g., VLAN 10 for employees, VLAN 20 for guests).

Step 1: Configure the RADIUS Server (FreeRADIUS Example)

# Install FreeRADIUS on Ubuntu/Debian
sudo apt update && sudo apt install freeradius -y

# Edit the clients.conf file to add your switch
sudo nano /etc/freeradius/3.0/clients.conf

Add this (replace 192.168.1.10 with your switch IP and MySharedSecret with a strong password):

client switch1 {
    ipaddr = 192.168.1.10
    secret = MySharedSecret
    nas_type = cisco
}

Restart FreeRADIUS:

sudo systemctl restart freeradius

Step 2: Configure the Cisco Switch

enable
configure terminal

# Enable AAA (Authentication, Authorization, Accounting)
aaa new-model

# Define the RADIUS server
radius server FreeRADIUS
 address ipv4 192.168.1.5 auth-port 1812 acct-port 1813
 key MySharedSecret

# Create an AAA group and add the RADIUS server
aaa group server radius RADIUS_GROUP
 server name FreeRADIUS

# Configure 802.1X authentication
aaa authentication dot1x default group RADIUS_GROUP
aaa authorization network default group RADIUS_GROUP
aaa accounting dot1x default start-stop group RADIUS_GROUP

# Enable 802.1X globally
dot1x system-auth-control

# Configure a test port (e.g., GigabitEthernet1/0/1)
interface GigabitEthernet1/0/1
 switchport mode access
 authentication port-control auto
 dot1x pae authenticator
end

# Save config
write memory

Step 3: Configure the Supplicant (Windows 10/11)

  1. Open Network & Internet Settings-Wi-Fi (or Ethernet)-Manage known networks-Add a new network.
  2. Select 802.1X and choose PEAP (or EAP-TLS if using certificates).
  3. Enter:
  4. Username: testuser
  5. Password: testpass
  6. CA Certificate: (If using PEAP, select the RADIUS server’s CA cert.)
  7. Click Connect.

Step 4: Verify Authentication

On the switch:

show dot1x all

Expected output:

Interface       PAE     Client          Status
Gi1/0/1         AUTH    0011.2233.4455  AUTHORIZED

On the RADIUS server (check logs):

sudo tail -f /var/log/freeradius/radius.log

Expected output:

Auth: Login OK: [testuser] (from client switch1 port 1 cli 0011.2233.4455)

Step 5: Configure VLAN Assignment (Optional)

On the RADIUS server, edit /etc/freeradius/3.0/users:

testuser Cleartext-Password := "testpass"
    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Tunnel-Private-Group-ID = 10

Restart FreeRADIUS:

sudo systemctl restart freeradius

Now, when testuser authenticates, they’ll be placed in VLAN 10.

4.-Production-Ready Best Practices

Security

  • Use EAP-TLS (certificates) instead of PEAP (passwords)—passwords can be brute-forced.
  • Rotate RADIUS shared secrets every 90 days.
  • Disable MAC bypass unless absolutely necessary (e.g., for legacy devices).
  • Enable CoA (Change of Authorization) so you can quarantine devices that fail posture checks.
  • Log all authentication attempts (RADIUS accounting) for auditing.

Reliability & Maintainability

  • Test 802.1X on a single port first before rolling out to the whole network.
  • Use a dedicated VLAN for remediation (e.g., VLAN 99) so failed devices can still get updates.
  • Document your NAC policies (e.g., "All Windows laptops must have Defender AV enabled").
  • Monitor RADIUS server health (CPU, memory, disk space)—if it fails, no one gets on the network.

Observability

  • Set up alerts for:
  • Failed authentication attempts (possible brute-force attack).
  • Devices failing posture checks (possible malware).
  • RADIUS server downtime (critical outage).
  • Log to a SIEM (Splunk, ELK, Graylog) for correlation with other security events.

5. Common Mistakes & Traps

Mistake Symptom Fix/Prevention
Misconfigured RADIUS shared secret Switch logs show "Invalid authenticator" errors. Double-check the shared secret on both the switch and RADIUS server.
No fallback VLAN Devices that fail authentication get no network access. Configure a remediation VLAN (e.g., VLAN 99) for failed devices.
Using PEAP without server certificate validation Man-in-the-middle attacks possible. Always validate the RADIUS server’s certificate on supplicants.
Enabling 802.1X on all ports at once Network outage if misconfigured. Test on one port first, then roll out gradually.
Not monitoring RADIUS server health RADIUS server crashes, no one can log in. Set up Nagios/Zabbix alerts for RADIUS server uptime.

6.-Exam/Certification Focus (CompTIA Security+)

Key Question Patterns

  1. "Which EAP method is most secure?"
  2. Answer: EAP-TLS (certificate-based).

  3. Trap: PEAP is easier but less secure.

  4. "What happens if a device fails posture assessment?"

  5. Answer: It’s quarantined to a remediation VLAN.

  6. Trap: Some answers say "blocked completely"—but best practice is to allow limited access for remediation.

  7. "What’s the role of the authenticator in 802.1X?"

  8. Answer: It blocks traffic until authentication succeeds.

  9. Trap: It’s not the RADIUS server (that’s the authentication server).

  10. "Which protocol does 802.1X use for authentication?"

  11. Answer: EAP (Extensible Authentication Protocol).

  12. Trap: Some answers say "RADIUS"—but RADIUS is the transport for EAP.

  13. "What’s the purpose of CoA (Change of Authorization)?"

  14. Answer: To dynamically change a device’s access (e.g., quarantine a device that fails a scan).
  15. Trap: Some answers say "initial authentication"—but CoA happens after login.

Trap Distinctions

Concept Security+ Trap Correct Answer
EAP-TLS vs. PEAP "PEAP is more secure because it uses passwords." EAP-TLS is more secure (certificates).
RADIUS vs. TACACS+ "RADIUS is used for device administration." TACACS+ is for device admin; RADIUS is for network access.
MAC Bypass "MAC bypass is secure because it’s based on hardware." MAC bypass is a security risk (MAC spoofing).

7.-Hands-On Challenge (With Solution)

Challenge

You’re troubleshooting a user who can’t connect to the network. The switch shows:

Gi1/0/1         AUTH    0011.2233.4455  AUTHENTICATING

What’s the most likely issue, and how do you fix it?

Solution

Issue: The supplicant (user’s device) is not responding to EAP requests. Fix:
1. Check if 802.1X is enabled on the supplicant (Windows: services.msc-"Wired AutoConfig" should be running).
2. Verify the supplicant’s credentials (username/password or certificate).
3. Check the RADIUS server logs for authentication failures.
4. If using PEAP, ensure the RADIUS server’s certificate is trusted on the supplicant.

Command to debug on the switch:

debug dot1x all

Expected fix: If the supplicant is misconfigured, re-enter credentials or reinstall the certificate.

8.-Rapid-Reference Crib Sheet

Item Command/Value Notes
RADIUS Ports UDP 1812 (auth), 1813 (accounting) Some vendors use 1645/1646 (legacy).
EAP Methods EAP-TLS, PEAP, EAP-TTLS EAP-TLS = certificates, PEAP = passwords.
Cisco 802.1X Enable dot1x system-auth-control Must be enabled globally.
Cisco Port Config authentication port-control auto Enables 802.1X on the port.
FreeRADIUS Config File /etc/freeradius/3.0/clients.conf Defines allowed switches/APs.
Windows Supplicant Service "Wired AutoConfig" Must be running for 802.1X.
MAC Bypass Command (Cisco) authentication mac-move permit Security risk—avoid if possible.
VLAN Assignment (RADIUS) Tunnel-Private-Group-ID = 10 Assigns VLAN 10 to the user.
CoA Port (RADIUS) UDP 3799 Used for dynamic access changes.
Default RADIUS Timeout 5 seconds Increase if users are timing out.

9.-Where to Go Next

  1. Cisco 802.1X Configuration Guide – Official Cisco docs.
  2. FreeRADIUS Documentation – Best resource for RADIUS setup.
  3. Microsoft NPS (Network Policy Server) Guide – For Windows-based RADIUS.
  4. CompTIA Security+ Study Guide (802.1X Section) – Official study material.

Final Thought

802.1X and NAC are your network’s bouncers. Without them, anyone can walk in. With them, you control who gets access—and what they can do once they’re inside.

Now go deploy it on a single switch port and break something (safely). ?


⚡ Recently practiced quizzes in this class
SY0-501 CompTIA Security+ Certification Exam SY0-501 CompTIA Security+ Certification Exam - Practice Test 2 SY0-401 Exam: CompTIA Security+ CS0-001 Exam: CompTIA Cybersecurity Analyst (CySA+)

 
If you liked Fatskills, consider supporting us by checking out The Life Manuals You Never Got.

🌈  Our mission is to help improve your scores in any subject and exam withonline quizzes, practice tests, study guides, & advice for students. Since 2018.
About | Explore | User Guide | Topics | Subjects | Doubt Solver | Career Aptitude Test | Answers | Free Tools | What Should We Know?
Privacy | Terms |
Without work one finishes nothing. - Ralph Waldo Emerson
© 2026 Fatskills.com

All trademarks, logos and brand names are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.