Why Contact

Solutions Products Customers Blogs Login Check our Prices

SecureW2? Us

What is 802.1X? How Does it Work?

Table of Contents

I. What is IEEE 802.1X?

How Does 802.1X Work?
What is 802.1X EAP Security?

II. What is 802.1X Used For?

Are IEEE 802.1X and Wi-Fi the Same?
What is Wired 802.1X?

III. How Secure is 802.1X?

Is 802.1X Encrypted?

IV. The Components of 802.1X

Client / Supplicant
Switch / Access Point / Controller
RADIUS Server
Why Does 802.1X Need a RADIUS Server?
Identity Store / Directory

V. How Does 802.1X Authentication Work?

Bonus: RADIUS Accounting
VLAN
MAC Authentication
MAC RADIUS
MAC Bypass

VI. How do I Con�gure 802.1X on Devices?

Con�gure 802.1X on Windows
Con�gure 802.1X on macOS
Con�gure 802.1X on Android
Con�gure 802.1X on iOS
Con�gure 802.1X on Linux
802.1X vs WPA2-Enterprise
Vulnerabilities in 802.1X

VII. The Best 802.1X Enterprise Solution

Navigate To

Access Point Integrations: RADIUS and Onboarding SSID Setups

MDM / EMMs Integrations: Certi�cate Auto-Enrollment API Gateway

Identity Provider Integrations: Certi�cate Enrollment

 Identity Provider Integrations: RADIUS Authentication

VPN Integrations:
RADIUS Setups

What is IEEE 802.1X?

Devices attempting to connect to a LAN or WLAN require an authentication mechanism. IEEE 802.1X, an IEEE Standard for Port-
Based Network Access Control (PNAC), provides protected authentication for secure network access.

An 802.1X network is different from home networks in one major way; it has an authentication server called a RADIUS Server. It
checks a user's credentials to see if they are an active member of the organization and, depending on the network policies, grants
users varying levels of access to the network. This allows unique credentials or certi�cates to be used per user, eliminating the
reliance on a single network password that can be easily stolen.

KEY TAKEAWAYS

• 802.1X is an authentication protocol to allow access to networks with the use of a RADIUS server.

• 802.1X and RADIUS based security is considered the gold standard to secure wireless and wired networks today.

How Does 802.1X Work?

802.1X is a network authentication protocol that opens ports for network access when an organization authenticates a user's
identity and authorizes them for access to the network. The user's identity is determined based on their credentials or certi�cate,
which is con�rmed by the RADIUS server. The RADIUS server is able to do this by communicating with the organization's directory,
typically over the LDAP or SAML protocol.

KEY TAKEAWAYS

• 802.1X gives the device access to the protected side of the network after authentication.

• 802.1X offers a few different ways to authenticate such as username/password, certi�cates, OTP, etc..

What is 802.1X EAP Security?

The standard authentication protocol used on encrypted networks is Extensible Authentication Protocol (EAP), which provides a
secure method to send identifying information over-the-air for network authentication. 802.1X is the standard that is used for
passing EAP over wired and wireless Local Area Networks (LAN). It provides an encrypted EAP tunnel that prevents outside users
from intercepting information.

The EAP protocol can be con�gured for credential (EAP-TTLS/PAP and PEAP-MSCHAPv2) and digital certi�cate (EAP-TLS)
authentication and is a highly secure method for protecting the authentication process.
 KEY TAKEAWAYS

• EAP is the tunnel that transfers a user’s identifying information from client to server.

• EAP tunnels most often use username/password or certi�cates

• Not all EAP Tunnels are created the same, man-in-the-middle attacks are easier to perform with username/password

What is 802.1X Used For?

802.1X is used for secure network authentication. If you are an organization dealing with valuable and sensitive information, you
need a secure method of transporting data. 802.1X is used so devices can communicate securely with access points (enterprise-
grade routers). It was historically only used by large organizations like enterprises, universities, and hospitals, but is rapidly becoming
adopted by smaller businesses because of the growing threats in cyber security.

802.1X is often referred to as WPA2-Enterprise. In contrast, the Pre-Shared Key network security most often used at home is referred
to as WPA2-Personal. WPA2-Personal is not su�cient for any organization dealing with sensitive information and can put
organizations at serious risk for cyber crimes.

KEY TAKEAWAYS

• Used to secure connections to wired and wireless networks via rotating key security and avoiding Open/Un-Encrypted or
static key (PSK) connections

• 802.1X is used in corporate and campus settings where users get authorized or removed from network access as they
enter and leave the organization

Are IEEE 802.1X and Wi-Fi the Same?

Almost. The IEEE 802.1X standard was �rst designed for use in wired Ethernet networks. Wi-Fi is a trademarked phrase that refers to
the IEEE 802.11x standard speci�cally – a modi�ed version of the original standard.

That being said, most security and networking professionals use the term 802.1X for both wired and wireless networks if they are
using WPA2-Enterprise security.

What is Wired 802.1X?

Authenticating a wired network connection for 802.1X is a similar process to wireless. The wired network user must connect to the
secure network from their device and present a signed certi�cate or valid credentials to authenticate their identity.

The primary difference is instead of establishing a secure connection with a wireless switch, your device must be Ethernet
connected and authenticate to an 802.1X-capable switch. The device and RADIUS server establish trust over the wired connection
and if the user is recognized, they will be authorized for secure network use.
How Secure is 802.1X?
When used correctly, it is the golden standard of network authentication security. It can prevent over-the-air credential theft attacks
like Man-in-the-Middle attacks and Evil Twin proxies. It is much more secure than Pre-Shared Key networks, which are typically used
in personal networks.

However, 802.1X security can vary greatly depending on two factors. The �rst variable occurs if end users are left to manually
con�gure their devices. The con�guration process requires high-level IT knowledge to understand and if one step is incorrect, they
are left vulnerable to credential theft. We highly recommend using dedicated 802.1X onboarding software instead.

The second variable depends on whether an organization is using credential-based authentication or certi�cate-based
authentication. Certi�cate-based EAP-TLS signi�cantly reduces an organization's risk for credential theft and is the most secure way
to use 802.1X. Not only does it stop credentials from being sent over the air where they can be easily stolen, but it forces users to go
through an enrollment/onboarding process that ensures their devices are con�gured correctly.

KEY TAKEAWAYS

• One of the most secure protocols for network authentication, trumping WPA2/3-PSK and Open/Unencrypted connections

• Requires precise con�guration, mistakes made by users lead to security compromise.

• Digital certi�cates instead of username/password based 802.1X mitigates security issues

Is 802.1X Encrypted?
Yes, 802.1X is encrypted.

802.1X WPA is generally reserved for personal networks, such as your home Wi-Fi, and runs on RC4-based TKIP (Temporal Key
Integrity Protocol) encryption. It's less secure than WPA2, but usually su�cient for home use.

802.1X WPA2 could utilize TKIP, but generally chooses AES (Advanced Encryption Standard), which is the most secure standard
available. It is a little more di�cult and costly to set up however, so it's used in higher-stake environments like businesses.

The Components of 802.1X

There are just a few components that are needed to make 802.1X work. Realistically, if you already have access points and some
spare server space, you possess all the hardware needed to make secure wireless happen. Sometimes you don't even need the
server; some access points come with built-in software that can operate 802.1X (though only for the smallest of small
deployments).

Regardless of whether you purchase professional solutions or build one yourself from open source tools, the quality and ease of
802.1X is entirely a design aspect.
 KEY TAKEAWAYS

• 802.1X only includes four major components: client, access-point/switch, RADIUS server, and identity provider

Client / Supplicant
In order for a device to participate in the 802.1X authentication, it must have a piece of software called a supplicant installed in the
network stack. The supplicant is necessary as it will participate in the initial negotiation of the EAP transaction with the switch or
controller and package up the user's credentials in a manner compliant with 802.1X. If a client does not have a supplicant, the EAP
frames sent from the switch or controller will be ignored and the switch will not be able to authenticate.

Fortunately, almost all devices we might expect to connect to a wireless network have a supplicant built-in. SecureW2 provides an
802.1X supplicant for devices that don't have one natively.

Thankfully, the vast majority of device manufacturers have built-in support for 802.1X. The most common exceptions to this might
be consumer gear, such as game consoles, entertainment devices or some printers. Generally speaking, these devices should be
less than 10% of the devices on your network and are best treated as the exception rather than the focus.

KEY TAKEAWAYS

• Software on the device that contains the con�guration and connection data (certi�cates/credentials) which is sent to the
access-point/switch

• Requires devices be set up precisely to avoid credential theft if username/password authentication is used. Consider
con�guration software or switching to certi�cate-based authentication.

• Most OSs for going back 10-15 years have 802.1X support, IoT.support is lacking but catching up

Switch / Access Point / Controller

The switch or wireless controller plays an important role in the 802.1X transaction by acting as a 'broker' in the exchange. The client
does not have network connectivity until there is a successful authentication, and the only communication is between the client and
the switch in the 802.1X exchange.

The switch/controller initiates the exchange by sending an EAPOL-Start packet to the client when the client connects to the network.
The client's responses are forwarded to the correct RADIUS server based on the con�guration in the Wireless Security Settings.
When the authentication is complete, the switch/controller makes a decision whether to authorize the device for network access
based on the user's status and possibly the attributes contained in the Access_Accept packet sent from the RADIUS server.

If the RADIUS server sends an Access_Accept packet as a result of an authentication, it may contain certain attributes that provide
the switch with information on how to connect the device on the network. Common attributes will specify which VLAN to assign a
user to, or possibly a set of ACLs (Access Control Lists) the user should be given once connected. This is commonly called 'User
Based Policy Assignment' as the RADIUS server is making the decision based on user credentials. Common use cases would be to
push guest users to a 'Guest VLAN' and employees to an 'Employee VLAN'.

KEY TAKEAWAYS

• These devices facilitate communication between the device and the RADIUS server.

• The access-point/switch is where you con�gure the network to use 802.1X instead of Open/Unencrypted or WPA2/3-PSK.

• Act as enforcement points when RADIUS servers return precise access control policy

RADIUS Server
The RADIUS server acts as the “security guard” of the network; as users connect to the network, the RADIUS authenticates their
identity and authorizes them for network use. A user becomes authorized for network access after enrolling for a certi�cate from the
PKI (Private Key Infrastructure) or con�rming their credentials. Each time the user connects, the RADIUS con�rms they have the
correct certi�cate or credentials and prevents any unapproved users from accessing the network.

A key security mechanism to employ when using a RADIUS is server certi�cate validation. This guarantees that the user only
connects to the network they intend to by con�guring their device to con�rm the identity of the RADIUS by checking the server
certi�cate. If the certi�cate is not the one which the device is looking for, it will not send a certi�cate or credentials for authentication.
This prevents users from falling victim to an Evil Twin proxy attack.

RADIUS servers can also be used to authenticate users from a different organization. Solutions like Eduroam use RADIUS servers as
proxies (such as RADSEC). If a student visits a neighboring university, the RADIUS server can authenticate their status at their home
university and grant them secure network access at the university they are currently visiting.

KEY TAKEAWAYS

• RADIUS Servers are the decision points for devices requesting access to of the protected side of network

• RADIUS Servers interact with identity providers to authenticate, authorize and report connections

Why Does 802.1X Need a RADIUS Server?

802.1X needs a RADIUS server because there needs to be a dedicated server to verify credentials. The authentication facet of
802.1X actually occurs at the RADIUS server. The server checks the directory of authorized users to con�rm whether or not the client
has permission to access the network and passes that information back to the controller/access point. Without a RADIUS server,
authentication would have to occur at the access point (this would require some pretty powerful APs), such as in the case of PSK
(pre-shared key) authentication.

Identity Store / Directory

The Identity Store refers to the entity in which usernames and passwords are stored. In most cases, this is Active Directory or
potentially an LDAP server. Almost any RADIUS server can connect to your AD or LDAP to validate users. There are a few caveats
when LDAP is used, speci�cally around how the passwords are hashed in the LDAP server. If your passwords are not stored in
cleartext or an NTLM hash, you will need to choose your EAP methods carefully as certain methods may not be compatible, such as
EAP-PEAP. This is not an issue caused by RADIUS servers, but rather from the password hash.

SecureW2 can help you set up SAML to authenticate users on any Identity Provider for Wi-Fi access. Here are guides to integrating
with some popular products.

• To set up SAML authentication within Google Workspace, click here.

• Con�guring WPA2-Enterprise with Okta, click here.

• For a guide on SAML Authentication using Shibboleth, click here.

• To con�gure WPA2-Enterprise with ADFS, click here.

Developing a robust WPA2-Enterprise network requires additional tasks, such as setting up a PKI or CA (Certi�cate Authority) and
seamlessly distributing certi�cates to users. But contrary to what you might think, you can make any of these upgrades without
buying new hardware or making changes to the infrastructure. For example, rolling out guest access or changing the authentication
method can be accomplished without additional infrastructure.

Recently, many institutions have been switching EAP methods from PEAP to EAP-TLS after seeing noticeable improvement in
connection time and roaming ability. Improving the functionality of wireless networks can be gained without changing a single piece
of hardware.

KEY TAKEAWAYS
 • 802.1X traditionally requires a directory (on-prem or cloud) so the RADIUS can communicate to identify each user and
what level of access they are allowed.

• Directories use username/passwords which makes them vulnerable to major security issues

• Newer cloud identity providers (Azure AD, Okta, Google) can interact with next-gen RADIUS to do passwordless identity
authorization.

How Does 802.1X Authentication Work?

The 802.1X authentication process is comprised of four steps: Initialization, Initiation, Negotiation, and Authentication.

1. Initialization
The Initialization step starts when the authenticator detects a new device and attempts to establish a connection. The
authenticator port is set to an “unauthorized” state, meaning that only 802.1X tra�c will be accepted and every other connection
will be dropped.

2. Initiation
The authenticator starts transmitting EAP-Requests to the new device, which then sends EAP responses back to the
authenticator. The response usually contains a way to identify the new device. The authenticator received the EAP response and
relays it to the authentication server in a RADIUS access request packet.

3. Negotiation
Once the authentication server receives the request packet, it will respond with a RADIUS access challenge packet containing
the approved EAP authentication method for the device. The authenticator will then pass on the challenge packet to the device
to be authenticated.

4. Authentication
Once the EAP method is con�gured on the device, the authentication server will begin sending con�guration pro�les so the
device will be authenticated. Once the process is complete, the port will be set to “authorized” and the device is con�gured to
the 802.1X network.

KEY TAKEAWAYS

• Typically 802.1X authentication begins with the client requesting access, the RADIUS server verifying the user against the
identity provider, and the access-point/switch allowing access

• 802.1X authentication works best via certi�cate because both the user and device context is taken authentication to
prevent over-the-air credential theft.

Bonus: RADIUS Accounting

802.1X RADIUS accounting involves recording the information of devices that are authenticated to the 802.1X network and the
session duration. The device information, usually the MAC address and port number, is sent in a packet to the accounting server
when the session begins. The server will receive a message signaling the end of the session.

While this isn't part of the 802.1X authentication process, we get a lot of questions about accounting, as RADIUS Servers are often
referred to as AAA (Authentication, Authorization, Accounting) servers.

VLAN
A VLAN, or Virtual Local Area Network, is a method of con�guring your network to emulate a LAN with all of the management and
security bene�ts it provides.

Basically, VLANs are segmenting your network to organize the security rules found on a network. For example, the Open/Guest
network is usually put in a different VLAN than the secure network. This helps to make sure that devices and network resources that
are on one VLAN aren't affected if anything bad happened on a seperate VLAN.

Digital certi�cates make VLAN assignment a snap because attributes can be encoded into the certi�cate that the RADIUS uses to
authenticate. You could set up a policy so that anyone with the email domain “it.company.com” would be automatically assigned a
different VLAN segment than “sales.company.com”.

MAC Authentication
MAC authentication, or MAC address authentication, is a simple security measure in which you create a list of approved MAC
addresses that are allowed network access..

Unfortunately, it's not di�cult to spoof MAC addresses, so MAC authentication is rarely deployed on enterprise levels.

MAC RADIUS
MAC RADIUS is a form of MAC Authentication. Instead of using a credential or a certi�cate to authorize a device, the RADIUS
con�rms the MAC address and authenticates.

MAC Bypass
The primary use of MAC Bypass is to tie-in devices that don't support 802.1X (like game consoles, printers, etc.) to your network.
However, it's still vulnerable, so it should be in a separate VLAN.

How do I Con�gure 802.1X on Devices?

Con�gure 802.1X on Windows
You can con�gure 802.1X on Windows OS devices in two ways: manually, or with device onboarding software.

Manually con�guring a Windows device requires the user to set up a new wireless network, enter a network name, set the security
type, adjust network settings, set the authentication method, and many more steps. While it's certainly possible to complete this
process accurately, it is highly complex and much more di�cult than an onboarding software designed for e�ciency.

The process for con�guring Windows OS with SecureW2 requires the user to connect the onboarding SSID and open an internet
browser. The user is sent to SecureW2's JoinNow onboarding software. After clicking JoinNow, a graphic will indicate the progress
of the con�guration. The user will then be prompted to enter their credentials and the device will be authenticated and equipped with
a certi�cate.

Con�gure 802.1X on macOS

For macOS, you can either manually con�gure or employ onboarding software to set up 802.1X.

In order to manually con�gure macOS, the end user needs to know how to create an enterprise pro�le, install a client security
certi�cate, verify the certi�cate, and adjust the network settings. The process isn't too di�cult for someone with a background in IT,
but it is risky for the average network user because of the high-level technical information involved with each step.

Downloading the SecureW2 JoinNow Suite for macOS enables automation so end users are not required to complete the process.
The setup is similar to Windows OS; the end user starts by connecting to the onboarding SSID and opens a browser. After
downloading the .DMG �le and entering their credentials, the con�guration process begins. The entire con�guration and
authentication requires only a few steps, allowing the end user to sit back while the device con�gures.

Con�gure 802.1X on Android

You are able to con�gure your Android for 802.1X in two ways: manually through the Wi-Fi settings or with device onboarding
software.

Con�guring manually via Wi-Fi settings requires you to create a network pro�le, con�gure Server Certi�cate Validation (which
requires uploading the CA used on the RADIUS Server and the common name), and con�guring the authentication method. If you
use device onboarding software, all these steps are done by an application that can be downloaded from the Play Store that will
con�gure your organization's network settings for you.

Con�gure 802.1X on iOS

Con�guring 802.1X authentication for iPhones requires you to either manually con�gure the device or use onboarding software.

Manual con�guration means you need to create a network pro�le in the Wi-Fi settings and con�gure Server Certi�cate validation and
the authentication method. The process is much simpler with onboarding software because SecureW2 can push a mobile con�g �le
to an iPhone device and con�gure the network settings automatically.

Con�gure 802.1X on Linux

Like other operating systems, there are two methods to con�gure 802.1X on Linux.

The manual con�guration is relatively simple. Open up Network Manager, select Edit Connections, �nd your access point and click
Edit. A new window will open up, choose the tab that says 802.1X settings and input the information of your network.

For one device, this is a straightforward process. If you need to onboard many devices (and users), you need SecureW2's automatic
device onboarding software. Click here to learn more.

KEY TAKEAWAYS

• 802.1X settings can include SSID, EAP-type, Auth protocols, certi�cate/certi�cate and server certi�cate validation which
trusts the authentic RADIUS server (vs. Evil twin)

• Auto-con�guration via onboarding software or MDM or manual con�guration are the options.

• For unmanaged/BYOD devices onboarding software can mitigate security risk

802.1X vs WPA2-Enterprise
802.1X is an IEEE standard framework for encrypting and authenticating a user who is trying to associate to a wired or wireless
network. WPA-Enterprise uses TKIP with RC4 encryption, while WPA2-Enterprise adds AES encryption.

Vulnerabilities in 802.1X
No security protocol is invulnerable, and 802.1X is not an exception.

Wireless 802.1X's most common con�gurations are WPA-PSK (pre-shared key, also called WPA-Personal) and WPA or WPA2
Enterprise.

PSK is the simplest and the most vulnerable. A password is con�gured on the access point and distributed to users of the network.
It's intended for personal use, mostly in homes. It's easily cracked with a run-of-the-mill brute force attack, and is also susceptible to
all other common attacks.

Enterprise-level wireless networks are typically not compromised by brute force attacks because their network administrator will
have mandated complex passwords and reset policies. Particular vulnerabilities vary depending on the authentication standard used
by the enterprise network.

PEAP MSCHAPv2   was once the industry standard for WPA2-Enterprise networks, but it's been cracked. There are still many
organizations using this standard, despite the inherent vulnerabilities to over-the-air attacks.
EAP-TTLS/PAP is another common standard that is also very vulnerable to over-the-air attacks. It's particularly weak because
credentials are sent in clear text, so it's a simple matter for hackers to intercept and steal. Further exacerbating the problem is the
rising popularity of Cloud RADIUS servers. Many of them only support EAP-TTLS/PAP, so end users are forced to send their
credentials in clear text over the internet.

The strongest WPA2-Enterprise standard is EAP-TLS. It relies on the asymmetrical cryptography of digital certi�cates for
authentication, which renders it immune to over-the-air attacks. Even if a hacker intercepts the tra�c, they will only harvest one half
of the public-private key pair – which is useless without the other half.

Click here for more details on the steely defenses offered by EAP-TLS.

KEY TAKEAWAYS

• Leaving 802.1X con�guration to the end user risks miscon�guration and security compromise.

• Trusting the right RADIUS Server vs. an evil twin is very important but not mandatory in 802.1X so ensure certi�cate
validation is always enabled.

• Credential-based EAP methods like PEAP-MSCHAPv2 or EAP/TTLS-PAP are vulnerable - switch to certi�cate-based EAP-
TLS - industry titans like Microsoft recommend moving to certi�cates

The Best 802.1X Enterprise Solution

The security of your network is the security of your organization. You wouldn't leave your front door unlocked, so why would you
leave your network unsecured?

SecureW2 is trusted by some of the biggest companies in the world to provide the highest level of security and peace of mind. Our
software solutions can be integrated seamlessly into your current network infrastructure or stand on their own as a fully-managed
network security service.

We have affordable options for organizations of any size. Check out our pricing to learn more.

KEY TAKEAWAYS

• Implement 802.1X by avoiding username/passwords and deploy digital certi�cates

• Make RADIUS connection decisions based on both user and device information

• Consider a cloud-native RADIUS solution that integrates with cloud identities without password based LDAP

Schedule a Demo
Sign up for a quick demonstration and see how SecureW2 can make your organization simpler,
faster, and more secure.

Schedule Now
 Pricing Information
Our solutions scale to �t you. We have affordable options for organizations of any size. Click
here to see our pricing.

Check Pricing

TECHNOLOGY SOLUTIONS VERTICAL SOLUTIONS

PKI & Certi�cate Services For Enterprise

RADIUS AAA For SMB

Wi-Fi, ZTNA and VPN Security For Higher Education

Security for Azure For K12

Security for Okta For Service Providers

PRODUCTS RESOURCES

JoinNow Connector PKI WPA2 and 802.1x Simpli�ed

JoinNow MultiOS PKI Explained

JoinNow Cloud RADIUS PEAP-MSCHAPv2 Vulnerability

JoinNow NetAuth Pitfalls of EAP-TTLS-PAP

CONTACT US SUPPORT

North America Sales Submit a Support Ticket

+1 888 363-3824
Log In
+1 512 900-5515
Careers
UK, Europe and Middle East Sales
+44 20 3912 9916

ISO 27001 Certi�ed

PARTNERS
All logos and trademarks are the property of their respective owners.

2022 SecureW2 Privacy Policy