Secure networks

In this section, you will explore the common security risks associated with typical Ethernet and Wi-Fi setups. We’ll examine why these standard networks are often vulnerable to attacks and what makes them easy targets for malicious hackers.

Typical Ethernet and pre-shared key Wi-Fi networks are easy to breach, allowing attackers to quickly escalate their access and reach critical systems. Once inside the network, attackers can use a variety of techniques to gain further access. Networks should be the first line of defense against hackers, but common network setups often fail to stop them.

• Ethernet: Anyone who gains physical access to the premises, such as a contractor or technician, can plug into a network switch with an Ethernet cable and gain direct network access. Default network switch configurations do not prevent this.

• Pre-shared key Wi-Fi: When an employee leaves, they still know the Wi-Fi password, and changing it for everyone each time someone leaves is often seen as too difficult or inconvenient. Additionally, current employees can easily share the password with others, increasing the risk of unauthorized access.

The only widely accepted industry standard that provides strong authentication and authorization for each Ethernet port and every Wi-Fi user is 802.1X. Other methods exist but are far less secure and effective compared to 802.1X.

In this section, you will learn what 802.1X is and what it enables for network access control. The section explains its role in securing Ethernet and Wi-Fi networks, its use with RADIUS for authentication, and how it forms the basis of WPA-Enterprise in wireless environments.

802.1X (usually pronounced dot-one-ex) is a network access control standard developed by the IEEE (Institute of Electrical and Electronics Engineers), originally published in 2001 and most recently updated in IEEE Std 802.1X-2020. It defines a framework for authenticating users and devices using the Extensible Authentication Protocol (EAP), supporting a range of methods like passwords, certificates, and smart cards across both wired and wireless networks.

• Ethernet: 802.1X allows network switches to require authentication before granting access to a device plugged into a port. Most managed switches support 802.1X and can be configured to block network access on a port until a valid user or device is authenticated using EAP through a RADIUS server. This prevents unauthorized devices from gaining access just by connecting a cable.

• Wi-Fi: 802.1X is the foundation of WPA-Enterprise, which is supported by most business-grade access points and wireless controllers. Instead of using a shared Wi-Fi password, each user authenticates individually through EAP and a RADIUS server. This enables per-user access control and makes it much harder for unauthorized users to connect.

In both Ethernet and Wi-Fi setups, 802.1X relies on a RADIUS server to handle the authentication process, verifying the user’s or device’s credentials and informing the switch or access point whether to allow or deny network access. RADIUS is a protocol used to communicate authentication and authorization requests between network devices and an authentication server. In an 802.1X setup, the network device sends user credentials to a RADIUS server using this protocol, and the server verifies the information before granting or denying access.

In this section, we explain why cloud-based 802.1X solutions offer a more cost-effective and flexible alternative to traditional on-premises hardware setups.

Cloud-based 802.1X removes the dependency on expensive, specialized hardware and lowers the complexity of managing network access control. It offers greater flexibility, easier scalability, and faster deployment compared to traditional on-premises solutions tied to physical equipment.

• Traditional 802.1X solutions require buying and maintaining physical hardware, which adds upfront and ongoing costs. Cloud-based solutions handle authentication remotely, removing the need for on-site devices.

• On-premises setups often need local access for configuration and troubleshooting. Cloud management allows IT teams to control authentication from anywhere through a simple web interface.

• Adding users or locations to traditional systems means buying more hardware and complex setup. Cloud-based 802.1X scales easily by adjusting resources without physical installation.

• Updating on-premises equipment requires manual work and scheduled downtime. Cloud services deliver updates automatically, ensuring continuous security improvements.

• Integrating traditional solutions with modern identity and security systems often requires additional tools and complex setups. Cloud-based 802.1X connects directly to cloud identity platforms as well as works together with UEM, and SIEM solutions, making integration simpler and more efficient.

• Hardware failures and maintenance cause network downtime in on-premises systems. Cloud providers use redundant infrastructure to reduce disruptions and improve availability.

In a cloud-based 802.1X setup, network devices like switches and access points communicate authentication requests from users or devices to a cloud-hosted RADIUS server. When a device tries to connect, the network equipment forwards its credentials securely to the cloud service, which verifies the information against centralized authentication repositories. Once the user or device is authenticated, the cloud server signals the network device to grant or deny access. This approach removes the need for on-premises authentication hardware and allows for centralized, remote management of network access policies.

A common concern with cloud-based network access control is what happens during an Internet outage, specifically whether users will lose network access if Portnox Cloud becomes temporarily unreachable. In such cases, active sessions are not interrupted and connected users remain online. However, new authentication requests cannot be processed by the cloud during the outage. To address this, Portnox Cloud supports a local cache component that runs on-premises as a virtual machine or Docker container. This local fallback allows previously authenticated users to reauthenticate and maintain access based on cached credentials and policies. New users or devices that have not connected before will be denied access until connectivity to the cloud is restored.

In this section, you will learn how devices that do not support 802.1X can still be securely connected to the network using MAC Authentication Bypass (MAB), and how Portnox helps manage and control access for these devices.

While nearly all modern computers, mobile devices, and operating systems support 802.1X for secure network authentication, many office devices do not. These include printers, IP phones, badge readers, video conferencing systems, and even some IoT devices. Despite their lack of 802.1X support, these devices still need to connect to the network securely. Simply leaving Ethernet ports open for such devices poses a serious security risk – anyone could unplug the device and connect an unauthorized laptop. Likewise, creating a shared Wi-Fi SSID with a common password introduces more risks and undermines the purpose of secure network access.

This is where MAC Authentication Bypass (MAB) comes in. MAB is a fallback authentication method used when a device does not support 802.1X. Instead of using user or certificate-based authentication, MAB identifies a device based on its MAC (Media Access Control) address – a unique hardware identifier assigned to the device’s network interface.

What happens when a non-802.1X device connects to the network?

1. The device connects to a switch port or wireless access point, but does not initiate 802.1X authentication.

2. The switch or access point detects the lack of 802.1X response and triggers MAC Authentication Bypass (MAB).

3. The network device sends the MAC address of the connected device to Portnox Cloud, requesting authentication.

4. Portnox checks the MAC address against its known devices list and applies the appropriate access control policy.

5. If the MAC address is recognized and allowed, the device is granted access with the defined permissions (e.g., VLAN assignment or limited access). If the MAC is unknown or blacklisted, access is denied or restricted to a remediation network.

While MAB enables access for non-802.1X devices, it is inherently less secure because MAC addresses can be easily spoofed. Many devices – including most laptop network adapters – allow users to manually set the MAC address, and modern smartphones like iPhones often use randomized MAC addresses to enhance privacy. This poses a challenge for relying on MAC addresses for authentication. For example, an attacker could identify the MAC address of a legitimate device, disconnect it, and then connect their own laptop using the same MAC address.

To prevent this type of spoofing, Portnox Cloud uses an advanced IoT fingerprinting mechanism. This works by analyzing the DHCP traffic a device generates upon connection – traffic patterns that are highly specific to each device type and operating system. If another device later connects using the same MAC address but presents a different DHCP fingerprint, Portnox Cloud immediately identifies the mismatch, issues a warning, and blocks the connection, helping to maintain the integrity of network access.

In this section, you will learn how cloud-based 802.1X can integrate with your current user databases and authentication systems.

Cloud-based 802.1X works with your existing user databases and authentication systems, so there is no need to create or manage separate credentials. This simplifies administration and enhances security by keeping user management centralized in one place.

• Reusing existing user repositories like Active Directory, Google Workspace, Okta Workforce Identity, or Entra ID reduces the need to create and maintain multiple accounts, lowering the chance of errors and inconsistencies.

• Centralized authentication simplifies management by applying consistent access policies across all systems, reducing administrative overhead and improving compliance.

• Cloud-based 802.1X supports standard protocols to integrate smoothly with common directory services such as LDAP and modern identity providers, enabling flexible deployment.

• Managing users from a single authentication source improves security by reducing potential attack points.

• Using familiar authentication platforms speeds up user onboarding and offboarding, ensuring access rights are updated quickly and accurately without extra manual steps.

While these integrations provide significant benefits, Portnox Cloud also offers its own internal authentication repository, which can be used alongside existing systems, for example, to manage contractors, or independently without relying on any external directory.

In this section, you will learn how to securely provide limited network access to guests, contractors, and other temporary users who are not included in your organization’s authentication repository, using captive portals and other access controls.

Some users – such as contractors, auditors, temporary workers, visitors, or vendors – are not added to the organization’s main authentication repository but still require Internet or limited network access while on-site. These users need a simplified access method without full onboarding.

Portnox Cloud offers guest access primarily through captive portals, which are functions provided by network access devices (NAS) such as wireless access points, routers, or wireless controllers. Captive portals are used exclusively for Wi-Fi access and do not apply to wired Ethernet connections. The captive portal serves as the authentication gateway for guests, supporting various authentication methods including sponsored guest approval by internal users, SMS confirmation codes sent to the guest’s mobile device, or simple acceptance of terms via a disclaimer.

To enable captive portal functionality, compatible network equipment is required, as Portnox Cloud relies on these devices to enforce captive portal authentication and control network access. Compared to basic captive portals configured solely on network devices, integrating captive portals with Portnox Cloud provides extra benefits:

• Provides a single, unified portal management interface for guest policies and user accounts, even though captive portals still run on individual network devices

• Enables advanced guest authentication options like sponsored guest approvals and SMS confirmation codes, which standalone portals may not support

• Centralizes guest access logging and reporting for compliance, consolidating data from multiple devices into one system

• Simplifies onboarding and lifecycle management of guest users without configuring each device separately beyond enabling the captive portal function

• Supports seamless integration with Portnox Cloud’s broader access management ecosystem through a single portal

Contractor accounts offer a solution for users who need broader access than typical guests. These accounts are created directly in Portnox Cloud without adding users to the main authentication repository and use external email addresses. Unlike captive portal guests, contractor accounts support both Wi-Fi and Ethernet access. Since they function like regular user accounts, administrators can assign them to groups, allowing controlled and flexible access to internal resources.

This section explains how TACACS+ can be used with Portnox Cloud to control administrative access to network infrastructure devices such as switches, firewalls, and routers.

TACACS+ (Terminal Access Controller Access Control System Plus) is a protocol commonly used to manage and authenticate administrative access to network devices. It separates authentication, authorization, and accounting (AAA), making it a preferred choice for network device management where fine-grained control is needed over who can run which commands.

Portnox Cloud includes support for TACACS+ via an on-prem component running in a virtual machine or a Docker container. It provides centralized management of admin logins for compatible NAS devices such as enterprise switches, firewalls, and wireless controllers. This allows administrators to define who can access specific devices, what commands they can execute, and to maintain full audit logs of access activity – all managed through the same Portnox Cloud interface used for user and device access control.

Benefits of TACACS+ with Portnox Cloud:

1. Local TACACS+ proxy with cloud policy control – While a lightweight on-premises component is required, all policy logic and user validation happens in the cloud, reducing local configuration complexity.

2. Centralized management of admin access policies – All TACACS+ access rules are defined and managed in the Portnox Cloud UI, ensuring consistent enforcement across all supported network devices.

3. Unified identity source – Reuse the same identity providers (e.g., Azure AD, LDAP) configured in Portnox Cloud for user authentication, without managing a separate local database.

4. Role-based command control – Define what administrative commands or privilege levels are available per user or group across different network device types.

5. Consolidated auditing – Admin login attempts and executed commands are logged centrally, enabling comprehensive audit trails for compliance and security reviews.

Using Portnox Cloud for TACACS+ removes the need to run and maintain an on-prem TACACS+ server while still allowing advanced AAA policy control for infrastructure devices. This setup is useful in medium to large environments where managing admin access on a per-device basis becomes operationally complex and less secure.

In this section, you will learn how cloud-based 802.1X helps organizations meet key regulatory and security standards.

Standards like PCI-DSS, HIPAA, GDPR, and ISO/IEC 27001 require organizations to control and monitor access to their networks. Cloud-based 802.1X enforces user and device authentication before network access, fulfilling access control requirements. Its centralized logging and reporting provide the audit trails needed to prove compliance. Continuous monitoring supports risk management and timely incident response, which are key parts of these standards.

• PCI-DSS (Payment Card Industry Data Security Standard): Helps meet Requirement 8 (Identify and authenticate access to system components) by enforcing strong user and device authentication before network access. Also supports Requirement 10 (Track and monitor all access to network resources) through centralized logging of authentication events.

• HIPAA (Health Insurance Portability and Accountability Act): Addresses the Security Rule’s Access Control Standard by restricting network access to authorized users and devices. Provides audit controls for access monitoring and helps with the Integrity Standard by preventing unauthorized access to protected health information.

• GDPR (General Data Protection Regulation): Supports Article 32 (Security of processing) by implementing appropriate access controls to protect personal data. Provides audit logs that help demonstrate accountability and compliance with data protection principles.

• ISO/IEC 27001 (Information Security Management): Aligns with Annex A.9 (Access Control) by enforcing user authentication and authorization on network devices. Supports Annex A.12.4 (Logging and Monitoring) with detailed records of access attempts and changes, enabling audit readiness.

Cloud-based 802.1X provides easier management and clearer audit information, helping organizations meet such regulatory requirements without the complexity of traditional hardware-based solutions.