Thursday, September 24, 2020

Understanding 802.1X and NAC


  • Definition and Overview

IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
<802.1X authentication flow>
* EAP over LAN (EAPOL)

The following video explains well about 802.1x and NAC.

MicroNugget: How to Use 802.1X and NAC
https://youtu.be/m7NkBFCm9Tk (YouTube, 3:46)


  • Implementation and Configuration

The PDF document provided by SANS below explains how to implement and configure 802.1X for Wired Network in detail with screenshots.

Implementing IEEE 802.1x for Wired Networks (PDF)


  • Troubleshooting 802.1X authentication

When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication:

<802.1X authentication process - Microsoft>

Please refer to the following links to troubleshoot 802.1x issues.

802.1X/EAP Troubleshooting (Cisco Community)
Advanced troubleshooting 802.1X authentication (Microsoft)
EAPOL 4-way Handshake (WiFi Professionals)


▶ Here are additional use cases and troubleshooting methods:


The most common 802.1x problem you’ll likely need to troubleshoot is when you have a client device attached to the network that can’t authenticate. In most cases, these clients will be quarantined in the guest VLAN instead of the protected side of the network and have access to the internal network.


1) Cannot Authenticate


* Symptoms: When connected to wireless, user is able to access email and internal resources. However when hard wired, user can only access the internet.

* Solution: 802.1x Authentication needs to be enabled.

Step 1. Open the Network Connections

Step 2. Right-Click on your Local Area Connection or Ethernet, and select Properties.

Step 3. Click on the second tab named Authentication.

These settings should all be greyed out as they should be managed by Group Policy (GP).


Make sure that 'Enable IEEE 802.1X authentication' is checked.

Step 4. Make sure the wired auto config service is enabled.

Click on start -> Then click run -> Type services.msc in the box
This will bring up the services window. Select the standard tab
Scroll to the bottom and look for Wired AutoConfig service.
Make sure it is running and is set the Startup Type to Automatic.


2) The Authentication tab on the Ethernet Properties are not grayed out


If the Authentication tab is not grayed out, that means your system was not updated corporate's group policy from the Active Directory (AD) server.

Here is a command you can refresh the Computer Policies.

gpupdate /force


Please check the link for more details.
How to Refresh Windows Computer Policies


Error 1.

This error shows that the Computer Policy update has failed. Your system may not be connected to the corporate network or not on the VPN.


Error 2.

This error shows that the 'Netlogon' service is not running on your system. Please follow the above Step 4. and make sure if the Netlogon service is set to Automatic.



※ Additional Resources


▶ What Is MAB?

Not all devices support 802.1X authentication. Examples include network printers, Ethernet-based electronics like environmental sensors, cameras, and wireless phones.

When MAB is configured on a port, that port will first try to check if the connected device is 802.1X compliant, and if no reaction is received from the connected device, it will try to authenticate with the AAA server using the connected device's MAC address as username and password. 
The network administrator then must make provisions on the RADIUS server to authenticate those MAC-addresses, either by adding them as regular users or implementing additional logic to resolve them in a network inventory database.

Please see the following links on details of how it works and switch configuration.

MAC Authentication Bypass (MAB)
MAC Authentication Bypass Deployment Guide


▶ Related posts: Network Access Control (NAC) vendors

* Reference links:


No comments: