802.1X Port-Based Network Access Control
The IEEE framework for “you can’t pass traffic through this port until you authenticate”. Wi-Fi Enterprise (WPA2/WPA3-Enterprise) is 802.1X over wireless; the same machinery runs on switch ports for wired NAC.
Status: drafting Related: EAP framework, RADIUS, WPA versions, PEAP / EAP-TTLS, EAP-TLS
The three roles
802.1X defines three actors:
| Role | Wi-Fi mapping | Wired mapping |
|---|---|---|
| Supplicant | The Wi-Fi client (laptop, phone). Speaks EAP. | The end-host. |
| Authenticator | The AP. Forwards EAP between supplicant and the auth server. Owns the port. | The L2 switch. |
| Authentication Server | The RADIUS server. Decides yes/no. | Same. |
The Authenticator is dumb in 802.1X: it doesn’t validate the credential. It bumps EAP frames to the RADIUS server, looks at the RADIUS Access-Accept / Access-Reject, and either opens the port or doesn’t.
Encapsulation: EAPOL
EAP messages between Supplicant and Authenticator ride in EAPOL (EAP over LAN). EtherType 0x888E. Subtypes:
| Type | Name | When |
|---|---|---|
| 0 | EAP-Packet | Carries an EAP message. |
| 1 | EAPOL-Start | Supplicant says “begin auth”. |
| 2 | EAPOL-Logoff | Supplicant says “I’m leaving”. |
| 3 | EAPOL-Key | Carries 4-way handshake messages (Wi-Fi only). |
| 4 | EAPOL-ASF | (Rare.) |
| 5 | EAPOL-MKA | MACsec (802.1AE) key agreement. |
Between Authenticator and RADIUS server, the same EAP messages are wrapped in RADIUS Access-Request / Access-Challenge / Access-Accept exchanges over UDP/1812. From the RADIUS server’s perspective the AP is a “NAS” (Network Access Server).
The flow on Wi-Fi (WPA2/WPA3-Enterprise)
STA AP RADIUS
│ │ │
│── Probe / Auth / Assoc ──────────► │
│ │ │
│ ◄──── 802.1X port "blocked" ──── │
│ │ │
│── EAPOL-Start ──► │
│ ◄── EAP-Request / Identity ── │
│── EAP-Response / Identity ──► │
│ │ (wrap as Access-Request) ─► │
│ │ ◄── Access-Challenge ─── │
│ ◄── EAP-Request (method-specific) ── │
│── EAP-Response (method-specific) ──► │
│ │ … iterate … │
│ │ ─── Access-Accept (with MSK) │
│ ◄── EAP-Success ── │
│ │ │
│ ◄── 4-way handshake (PMK = MSK) ── │
│ │ │
│── data ─────────────────────────────► │
Three loose pieces to know:
- Identity — the supplicant’s response to the first EAP-Request. Often a placeholder (
anonymous@realm) under PEAP/TTLS so the real identity is hidden inside TLS. - MSK (Master Session Key) — 64 bytes derived during the EAP method, transferred from RADIUS server to AP in the Access-Accept. PMK = first 32 bytes of MSK.
- 4-way handshake — same as WPA2-Personal, but the PMK comes from the EAP method instead of PBKDF2(passphrase).
Wired 802.1X
On a switch port:
- Port starts in
Unauthorisedstate — only EAPOL frames can traverse. - After successful EAP, port goes to
Authorised— all frames flow. - Reauthentication can be timed (default 1 hour) or event-driven.
802.1X on switches is the substrate for NAC (Network Access Control). Skipping over the huge number of bypass techniques on wired (MAC-bypass = MAB, hub-on-the-wire, response-rewriting) — those belong on a dedicated NAC page.
EAP method choice
The Authenticator and Supplicant negotiate which EAP method to use; the supplicant must offer one the auth server accepts. Common methods:
| Method | Properties |
|---|---|
| EAP-MD5 | Trivially broken; not used in modern Wi-Fi. |
| EAP-LEAP | Cisco-proprietary, broken. |
| EAP-TLS | Mutual cert-based. Strongest in practice. |
| PEAP-MSCHAPv2 | TLS tunnel + MSCHAPv2 inside. Legacy AD shop default. Vulnerable to credential relay if server cert isn’t pinned. |
| EAP-TTLS | TLS tunnel + arbitrary inner method (PAP, CHAP, MSCHAPv2). |
| EAP-PWD | Password-based; uses dragonfly hash-to-curve (same family as SAE; subject to Dragonblood timing/cache side channels). |
| EAP-FAST | Cisco fork using PACs instead of certs. |
| EAP-AKA / EAP-SIM | Mobile/SIM-based; used by carrier Wi-Fi offload (Passpoint). |
See EAP framework for the inner mechanics.
Common Enterprise misconfigurations
This is where most enterprise Wi-Fi compromises happen:
- No CA validation on the supplicant. Default Windows / Android profiles often don’t verify the RADIUS server cert. A rogue AP terminating the EAP handshake captures the inner credential. PEAP-MSCHAPv2 → relay to legitimate RADIUS, full creds.
- Generic CA validation (e.g. trusting any cert chained to a public CA). An attacker buys a cert for
evil.example.com, presents it as the RADIUS server. - MAC-bypass (MAB) alongside 802.1X — switch falls back to MAC filter if EAP times out. Spoof a MAC (printer, IP phone) and bypass auth entirely.
- Hub-on-the-wire — physically tap behind an authenticated host on a switch port to get auth-by-proxy.
- CVE-2023-52160 / 52161 — supplicant flaws (wpa_supplicant PEAP TLV-Success bypass; IWD state-machine bypass) that bypass RADIUS server auth entirely. See PEAP/IWD bypass.
eaphammer and hostapd-wpe are the standard rogue-RADIUS / RADIUS-relay tools.
See also
- EAP framework — what the inner methods look like.
- RADIUS — the back-end protocol.
- EAP-TLS, PEAP / EAP-TTLS — the dominant Enterprise methods.
- PEAP / IWD bypass — recent supplicant-side bypasses.
References
- IEEE 802.1X-2020.
- RFC 3748 — Extensible Authentication Protocol (EAP).
- Wright + Cache — Hacking Exposed Wireless — Enterprise misconfiguration coverage.