Enterprise Wireless: 802.1X and RADIUS
Explore how 802.1X port-based authentication and RADIUS servers authenticate each wireless client individually without sharing a common passphrase.
Why Enterprise Wireless Needs 802.1X
WPA2-Personal uses a single shared passphrase known to all authorized users. If one employee leaves the organization or if the passphrase is shared with an unauthorized person, the entire network is compromised and the passphrase must be changed for everyone. 802.1X eliminates this problem by giving each user or device unique credentials, so revoking access for one employee does not affect others. This is the foundational reason why enterprise environments use 802.1X over PSK — granular, per-identity access control.
802.1X Components: Supplicant, Authenticator, AS
The 802.1X framework has three roles. The supplicant is the client device (laptop, phone) that wants network access. The authenticator is the network device (wireless AP or switch) that enforces access — it forwards credentials but does not validate them itself. The Authentication Server (AS), typically a RADIUS server, validates the credentials and tells the authenticator whether to grant or deny access. This three-party design separates the enforcement point from the validation logic, enabling centralized policy management.
# 802.1X authentication flow:
# Supplicant (client) <--> Authenticator (AP/switch) <--> RADIUS Server
#
# 1. Client connects to AP
# 2. AP blocks all traffic except EAP (port controlled)
# 3. AP forwards EAP messages to RADIUS via RADIUS protocol
# 4. RADIUS validates credentials
# 5. RADIUS sends Access-Accept + VLAN assignment
# 6. AP opens port for client trafficAll lessons in this course
- Wi-Fi Security Protocols: WEP, WPA2, WPA3
- Wireless Attacks: Evil Twin, Deauth, and Rogue AP
- Enterprise Wireless: 802.1X and RADIUS
- Bluetooth and IoT Wireless Threats