| name | implementing-network-access-control |
| description | 'Implements 802.1X port-based network access control using RADIUS authentication, PacketFence NAC, and switch configurations to enforce identity-based access policies, posture assessment, and automatic VLAN assignment for authorized devices. ' |
| domain | cybersecurity |
| subdomain | network-security |
| tags | - network-security - nac - 802.1x - radius - packetfence |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - DE.CM-01 - ID.AM-03 - PR.DS-02 |
Implementing Network Access Control
When to Use
- Enforcing identity-based network access where only authenticated and compliant devices connect to the network
- Implementing zero-trust networking at the access layer with dynamic VLAN assignment based on user role
- Quarantining non-compliant devices that fail endpoint posture checks (missing patches, disabled AV)
- Meeting compliance requirements (PCI-DSS, HIPAA, SOC 2) for network access controls
- Onboarding BYOD devices with automated provisioning and limited network access
Do not use as a standalone security solution without complementary controls, for networks with devices that do not support 802.1X supplicants, or without proper fallback mechanisms for critical infrastructure.
Prerequisites
- RADIUS server (FreeRADIUS, Microsoft NPS, or Cisco ISE) configured with user/device authentication
- Managed switches supporting 802.1X port-based authentication
- Certificate Authority for EAP-TLS certificate distribution (optional but recommended)
- PacketFence or similar NAC platform for posture assessment and remediation
- Active Directory or LDAP directory for centralized user authentication
- DHCP server integration for dynamic IP assignment per VLAN
Workflow
Step 1: Install and Configure FreeRADIUS
sudo apt install -y freeradius freeradius-utils freeradius-ldap
sudo tee /etc/freeradius/3.0/clients.conf << 'EOF'
client switch-core-01 {
ipaddr = 10.10.100.1
secret = R4d1u5_S3cr3t_K3y!
shortname = core-switch
nastype = cisco
}
client switch-access-01 {
ipaddr = 10.10.100.10
secret = R4d1u5_S3cr3t_K3y!
shortname = access-switch-01
nastype = cisco
}
client switch-access-02 {
ipaddr = 10.10.100.11
secret = R4d1u5_S3cr3t_K3y!
shortname = access-switch-02
nastype = cisco
}
EOF
sudo tee /etc/freeradius/3.0/mods-available/ldap << 'EOF'
ldap {
server = 'ldap://dc01.corp.example.com'
identity = 'CN=radius-svc,OU=Service Accounts,DC=corp,DC=example,DC=com'
password = 'ServiceAccountPassword123!'
base_dn = 'DC=corp,DC=example,DC=com'
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
}
group {
base_dn = "${..base_dn}"
filter = "(objectClass=group)"
membership_attribute = 'memberOf'
}
}
EOF
sudo ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/ldap
Step 2: Configure VLAN Assignment Policies
sudo tee /etc/freeradius/3.0/policy.d/vlan-assignment << 'EOF'
vlan_assignment {
if (&LDAP-Group[*] == "CN=IT-Staff,OU=Groups,DC=corp,DC=example,DC=com") {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = "10"
}
}
elsif (&LDAP-Group[*] == "CN=Developers,OU=Groups,DC=corp,DC=example,DC=com") {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = "15"
}
}
elsif (&LDAP-Group[*] == "CN=Finance,OU=Groups,DC=corp,DC=example,DC=com") {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = "20"
}
}
else {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = "40"
}
}
}
EOF
sudo tee /etc/freeradius/3.0/mods-available/eap << 'EAPEOF'
eap {
default_eap_type = peap
timer_expire = 60
max_sessions = 4096
tls-config tls-common {
private_key_file = /etc/freeradius/3.0/certs/server.key
certificate_file = /etc/freeradius/3.0/certs/server.pem
ca_file = /etc/freeradius/3.0/certs/ca.pem
dh_file = /etc/freeradius/3.0/certs/dh
cipher_list = "HIGH:!aNULL:!MD5"
tls_min_version = "1.2"
}
peap {
tls = tls-common
default_eap_type = mschapv2
virtual_server = inner-tunnel
}
tls {
tls = tls-common
}
}
EAPEOF
sudo freeradius -X
radtest testuser TestPassword123 localhost 0 testing123
Step 3: Configure 802.1X on Cisco Switches
! Enable AAA on the switch
enable
configure terminal
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
! Configure RADIUS server
radius server FREERADIUS
address ipv4 10.10.100.200 auth-port 1812 acct-port 1813
key R4d1u5_S3cr3t_K3y!
exit
! Enable 802.1X globally
dot1x system-auth-control
! Configure access ports for 802.1X
interface range GigabitEthernet1/0/1-24
switchport mode access
switchport access vlan 999
authentication port-control auto
authentication order dot1x mab
authentication priority dot1x mab
dot1x pae authenticator
dot1x timeout tx-period 10
mab
authentication event fail action authorize vlan 999
authentication event no-response action authorize vlan 40
authentication host-mode multi-auth
spanning-tree portfast
exit
! Configure MAB (MAC Authentication Bypass) for devices without 802.1X
! Devices like printers, IP phones that cannot run a supplicant
interface range GigabitEthernet1/0/25-36
switchport mode access
switchport access vlan 999
authentication port-control auto
authentication order mab
mab
authentication event fail action authorize vlan 999
authentication host-mode single-host
spanning-tree portfast
exit
! Configure guest VLAN for unauthenticated devices
interface range GigabitEthernet1/0/1-24
authentication event no-response action authorize vlan 40
authentication event fail action authorize vlan 999
exit
! Configure critical VLAN for RADIUS server unavailability
interface range GigabitEthernet1/0/1-36
authentication event server dead action authorize vlan 10
authentication event server alive action reinitialize
exit
Step 4: Deploy PacketFence NAC for Posture Assessment
curl -fsSL https://inverse.ca/downloads/GPG_PUBLIC_KEY | sudo gpg --dearmor -o /etc/apt/keyrings/inverse.gpg
echo "deb [signed-by=/etc/apt/keyrings/inverse.gpg] https://inverse.ca/downloads/PacketFence/debian bookworm bookworm" | \
sudo tee /etc/apt/sources.list.d/packetfence.list
sudo apt update && sudo apt install -y packetfence
sudo /usr/local/pf/bin/pfcmd configreload
sudo tee -a /usr/local/pf/conf/switches.conf << 'EOF'
[10.10.100.10]
description=Access Switch 01
type=Cisco::Catalyst_2960
mode=production
radiusSecret=R4d1u5_S3cr3t_K3y!
SNMPVersion=2c
SNMPCommunityRead=public
SNMPCommunityWrite=private
VlanMap=Y
registrationVlan=40
isolationVlan=999
normalVlan=10
EOF
Step 5: Configure Supplicant on Endpoints
sudo tee /etc/wpa_supplicant/wpa_supplicant-wired.conf << 'EOF'
ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=PEAP
identity="[email protected]"
password="UserPassword123"
ca_cert="/etc/ssl/certs/corporate-ca.pem"
phase2="auth=MSCHAPV2"
}
EOF
sudo wpa_supplicant -i eth0 -D wired -c /etc/wpa_supplicant/wpa_supplicant-wired.conf -B
wpa_cli -i eth0 status
Step 6: Test and Validate NAC Deployment
Key Concepts
| Term | Definition |
|---|
| 802.1X | IEEE standard for port-based network access control that authenticates devices before granting network access via EAP and RADIUS |
| RADIUS | Remote Authentication Dial-In User Service protocol used by network devices to authenticate users and receive authorization attributes (VLAN, ACL) |
| MAB (MAC Authentication Bypass) | Fallback authentication method that uses a device's MAC address as credentials for devices that cannot run an 802.1X supplicant |
| EAP-PEAP | Protected Extensible Authentication Protocol that wraps EAP in a TLS tunnel, commonly used with MSCHAPv2 for username/password authentication |
| Posture Assessment | Evaluation of endpoint compliance status (OS patches, antivirus, encryption) before granting full network access |
| Dynamic VLAN Assignment | RADIUS-driven automatic VLAN placement based on user identity, group membership, or device type, eliminating static port-based VLAN configuration |
Tools & Systems
- FreeRADIUS: Open-source RADIUS server supporting EAP-TLS, PEAP, LDAP integration, and dynamic VLAN assignment
- PacketFence: Open-source NAC solution providing 802.1X integration, posture assessment, captive portal, and device registration
- Cisco ISE: Enterprise NAC platform with profiling, posture, guest management, and TrustSec integration
- wpa_supplicant: Open-source 802.1X supplicant for Linux and embedded systems supporting EAP-TLS, PEAP, and TTLS
- Microsoft NPS: Windows Server RADIUS implementation integrating natively with Active Directory for 802.1X authentication
Common Scenarios
Scenario: Deploying 802.1X NAC in a Hospital Network
Context: A hospital needs to enforce network access control to meet HIPAA requirements. The network includes clinical workstations (domain-joined), medical devices (no 802.1X support), physician BYOD devices, and guest WiFi. The deployment must not disrupt patient care if the RADIUS server becomes unavailable.
Approach:
- Deploy FreeRADIUS integrated with Active Directory for user authentication and group-based VLAN assignment
- Configure domain-joined workstations for EAP-PEAP via Group Policy with auto-enrollment
- Register medical devices (infusion pumps, monitors) for MAB authentication using their MAC addresses in the RADIUS database
- Configure switches with authentication order dot1x then mab, with critical VLAN fallback to the clinical VLAN if RADIUS is unreachable
- Deploy PacketFence captive portal for physician BYOD onboarding with limited-access VLAN
- Configure posture checks requiring Windows Update compliance and BitLocker encryption for full access
- Test failover scenarios by stopping RADIUS and verifying devices remain on critical VLAN without disruption
Pitfalls:
- Not configuring critical VLAN fallback, causing devices to lose network access when RADIUS is unavailable
- MAB MAC address databases becoming stale as medical devices are replaced or moved
- 802.1X timeouts causing delays at workstation login, especially with slow RADIUS responses
- Not testing multi-host mode on ports with IP phones and workstations daisy-chained
Output Format
## NAC Deployment Report
**RADIUS Server**: freeradius-01 (10.10.100.200)
**NAC Platform**: PacketFence 13.1
**Switches Configured**: 12 access switches
**Total Ports**: 576 access ports
### Authentication Summary (24-hour)
| Auth Type | Success | Failure | Total |
|-----------|---------|---------|-------|
| 802.1X (PEAP) | 342 | 12 | 354 |
| MAB | 87 | 3 | 90 |
| Guest Portal | 23 | 5 | 28 |
### VLAN Assignment Distribution
| VLAN | Name | Assigned Devices |
|------|------|------------------|
| 10 | Corporate | 245 |
| 15 | Development | 67 |
| 20 | Finance | 30 |
| 40 | Guest | 23 |
| 50 | Medical Devices | 87 |
| 999 | Quarantine | 15 (posture fail) |
### Compliance Status
- 802.1X coverage: 100% of access ports
- Posture pass rate: 95.8% (15 devices quarantined for missing patches)
- RADIUS failover tested: Successful (critical VLAN activated in 3 seconds)
