Network Security: 802.1X, Network Access Control, Port Security
Network security controls protect the integrity, confidentiality, and availability of network infrastructure. These controls include authentication at the port level, access policies, and network segmentation.
802.1X Port-Based Authentication
802.1X is a port-based network access control protocol. It prevents unauthorized devices from connecting to a network by requiring authentication at the switch port level before any traffic is allowed. If the device doesn't authenticate, the port remains blocked or is placed on a restricted VLAN.
Three components: Supplicant (the client device requesting access), Authenticator (the switch or wireless access point that enforces authentication), and Authentication Server (usually a RADIUS server that verifies credentials).
EAP (Extensible Authentication Protocol) — the framework used by 802.1X for actual authentication. Different EAP methods provide different security: EAP-TLS (certificate-based, most secure), EAP-TTLS (tunneled with server certificate), and PEAP (Protected EAP, widely deployed in corporate environments).
- 802.1X: authenticate devices at the switch port level before granting network access
- Supplicant (client) → Authenticator (switch) → Authentication Server (RADIUS)
- EAP-TLS: certificate-based, most secure
- EAP-TTLS and PEAP: password-based with server certificate tunnel
Network Access Control (NAC)
NAC is a broader security solution that enforces security policies on devices before granting network access. NAC checks device health (anti-virus status, OS patches, disk encryption), then grants appropriate access based on compliance.
NAC can: quarantine non-compliant devices (placed in a remediation VLAN where they can update), allow compliant devices full access, and block devices without authorization.
Agent-based NAC — requires software installed on the device to check compliance. Agentless NAC — uses network scanning and Active Directory integration (less thorough but easier to deploy). Persistent agents stay installed; dissolvable agents run only during authentication.
- NAC: enforce security policies before granting network access
- Checks device health: AV status, patches, encryption, firewall
- Non-compliant devices: quarantined to remediation VLAN
- Agent-based: installed software, more thorough
- Agentless: network scanning, easier to deploy
Port Security and DHCP Snooping
Port Security — limits how many MAC addresses can be learned on a switch port. Prevents MAC flooding attacks and unauthorized device connections. Actions on violation: shutdown (disable the port), restrict (block the violating MAC), or protect (drop traffic from unknown MACs without alerting).
DHCP Snooping — a security feature that filters untrusted DHCP messages. It prevents rogue DHCP servers from issuing false IP configurations. Trusted ports (uplinks to authorized DHCP servers) are configured manually; all other ports are untrusted.
Dynamic ARP Inspection (DAI) — validates ARP packets against the DHCP snooping database to prevent ARP spoofing/poisoning attacks. ARP attacks allow man-in-the-middle positioning on the local network.
- Port security: limit MAC addresses per port — prevents MAC flooding
- Violation actions: shutdown, restrict, or protect
- DHCP snooping: blocks rogue DHCP servers, validates DHCP responses
- DAI: prevents ARP spoofing by validating against DHCP snooping database
VLANs and Network Segmentation
VLANs (Virtual Local Area Networks) logically segment a physical network into separate broadcast domains. Devices in different VLANs cannot communicate directly — traffic must pass through a router or Layer 3 switch, where security policies can be enforced.
VLAN benefits: reduces broadcast traffic, improves security (isolates sensitive systems), simplifies management (logical grouping regardless of physical location).
VLAN Hopping — an attack where an attacker sends traffic tagged with a different VLAN ID to access unauthorized VLANs. Prevention: disable trunking on access ports, use dedicated VLAN IDs, and apply ACLs on inter-VLAN routing.
Separate VLANs should be used for: management traffic, voice (VoIP), guest Wi-Fi, IoT devices, and sensitive data systems.
- VLANs: logically separate networks on the same physical switch
- Inter-VLAN routing requires a router or Layer 3 switch (enforces policies)
- VLAN hopping: attacker sends crafted 802.1Q tags to access other VLANs
- Always disable trunking on access ports (switchport mode access)
- Segment networks: guest, IoT, voice, management, production
Exam Tip
802.1X is a frequent exam topic: know Supplicant/ Authenticator/ Authentication Server trio. NAC checks device health. Port security limits MAC addresses. VLANs isolate traffic — disable trunking on access ports to prevent VLAN hopping.