Difference between TACACS+ and RADIUS

Last Updated : 26 Oct, 2021

Prerequisite – TACACS+, and RADIUS

To provide a centralized management system for the authentication, authorization, and accounting (AAA
framework), Access Control Server (ACS) is used. For the communication between the client and the ACS
server, two protocols are used namely TACACS+ and RADIUS.

TACACS+

Terminal Access Controller Access Control System (TACACS+) is a Cisco proprietary protocol that is used
for the communication of the Cisco client and Cisco ACS server. It uses TCP port number 49 which makes
it reliable.

RADIUS –

Remote Access Dial-In User Service (RADIUS) is an open standard protocol used for the communication
between any vendor AAA client and ACS server. If one of the clients or servers is from any other vendor
(other than Cisco) then we have to use RADIUS. It uses port number 1812 for authentication and
authorization and 1813 for accounting.

Similarities –

The process is started by Network Access Device (NAD – client of TACACS+ or RADIUS). NAD contact the
TACACS+ or RADIUS server and transmit the request for authentication (username and password) to the
server. First, NAD obtains the username prompt and transmits the username to the server, and then
again the server is contacted by NAD to obtain the password prompt and then the password is sent to
the server.

The server replies with an access-accept message if the credentials are valid otherwise send an access-
reject message to the client. Further authorization and accounting are different in both protocols as
authentication and authorization are combined in RADIUS.

Differences –
TACACS+ RADIUS

Cisco proprietary protocol open standard protocol

It uses TCP as a transmission protocol It uses UDP as a transmission protocol

It uses TCP port number 49. It uses UDP port number 1812 for authentication and authorization and
1813 for accounting.

Authentication, Authorization, and Accounting are separated in TACACS+. Authentication and

Authorization are combined in RADIUS.

All the AAA packets are encrypted. Only the password is encrypted while the other information
such as username, accounting information, etc are not encrypted.

preferably used for ACS.used when ISE is used

It provides more granular control i.e can specify the particular command for authorization. No
external authorization of commands is supported.

TACACS+ offers multiprotocol support No multiprotocol support.

Used for device administration. used for network access

Advantages (TACACS+ over RADIUS) –

As TACACS+ uses TCP therefore more reliable than RADIUS.

TACACS+ provides more control over the authorization of commands while in RADIUS, no external
authorization of commands is supported.

All the AAA packets are encrypted in TACACS+ while only the passwords are encrypted in RADIUS i.e
more secure.
Advantage (RADIUS over TACACS+) –

As it is an open standard therefore RADIUS can be used with other vendor’s devices while because
TACACS+ is Cisco proprietary, it can be used with Cisco devices only.

It has more extensive accounting support than TACACS+.

---------------------

AAA RADIUS TACACS+ Questions & Answers with Explanation – 200-301 CCNA

By orbitco | 28th May 20180 Comment

This is an Updated CCNA AAA RADIUS TACACS+ exam question (2020). You might see a different IP
addressing and Port allocation.

As usual, take time to read through the question (3x if possible) so as to clearly understand what the
question is about.

Note: This AAA RADIUS TACACS+ questions and answers are used for demonstration only, you might
come across different IP addressing, configuration and Port allocation in the real CCNA exam. But it all
works the same way, try and understand the technique.

I suggest you use packet tracer for practice.

See recommended CCNA Books

1. Which server will centralize authentication for all Cisco routers and switches?

A. Active Directory server

B. AAA server

C. 802.1x server

D. Terminal server

Answer B.

Explanation

The AAA server will centralize authentication for Cisco routers and switches.

AAA stands for authentication, authorization, and accounting. It is pronounced “triple A.”

2. Which protocol and port does RADIUS authentication use?

A. UDP/1845

B. UDP/1645

C. TCP/1645

D. UDP/1911

Answer B.
Explanation

RADIUS authentication uses the UDP protocol and port 1645 for communications between the switch or
router and the AAA server.

3. Which is an authentication protocol for AAA servers is used to secure Telnet authentication?

A. 802.1x

B. TACACS+

C. AD

D. EAP

Answer B.

Explanation

TACACS+ (Terminal Access Controller Access Control System) is a protocol used for communications
between a switch or router and the AAA server for authenticating users.

4. Which port and protocol does TACACS+ use?

A. UDP/69
B. TCP/74

C. UDP/47

D. TCP/49

Answer D.

Explanation

TACACS+ uses TCP and port 49 for communications between the switch or router and the AAA server.

5. Which is a benefit of using TACACS+ for authentication of users?

A. It is an open standard.

B. It encrypts the password of users.

C. It supports authenticating a user to a subset of commands.

D. It supports authenticating a user to a length of time.

Answer C.

Explanation

TACACS+ is a Cisco defined protocol. One of the useful features it has is that it can authenticate a user
and only allow that user to access certain commands on the router or switch.

6. Which command will configure the router to use a TACACS+ server and a backup of local for
authentication of logins?

A. Router(config)#aaa authentication login default group tacacs+ local

B. Router(config)#authentication login group tacacs+ local

C. Router(config)#aaa-authentication login default tacacs+ local

D. Router(config)#aaa authentication login tacacs+ local

Answer A.
Explanation

The command aaa authentication login default group tacacs+ local will configure AAA authentication for
login using the default list and a group of TACACS+servers for TACACS+ login first and a backup of local
for authentication.

7. You configured the AAA authentication for login to default local but forgot to create a local AAA
user. What will happen when you log out?

A. The enable secret will work.

B. The console will still be available.

C. The router will lock you out.

D. Nothing, since a username and password have not been set.

Answer C.

Explanation

The router will lock you out since you have not provided a local account to login with. The password
recovery procedure would need to be performed if the configuration was saved.
8. Why should you always provide a second method of local when setting up AAA remote
authentication with a router or switch?

A. To allow for a backdoor

B. To provide a backup if the TACACS+ server is down or unreachable

C. The local second method is required

D. All of the above

Answer B.

Explanation

The local second method should always be configured. This will ensure that if the router’s connection to
the AAA server is down, you can still gain access to diagnose or repair.

9. Which command will configure the RADIUS server 192.168.1.7 with a secret of aaaauth?

A. Router(config)#radius host 192.168.1.7 key aaaauth

B. Router(config)#radius-server host 192.168.1.7 key aaaauth

C. Router(config)#radius-server 192.168.1.7 key aaaauth

D. Router(config)#radius-server host 192.168.1.7 secret aaaauth

Answer B.

Explanation

The command radius-server host 192.168.1.7 key aaaauth will configure

the radius server 192.168.1.7 with a secret key of aaaauth.

10. Which protocol will encrypt the entire packet from the switch or router to the

AAA server?

A. 802.1x

B. IPSEC

C. RADIUS

D. TACACS+
Answer D.

Explanation

The TACACS+ protocol will encrypt the entire packet from the switch or router to the AAA server.

What is 802.1X? How Does it Work?

802.1X can be a complex topic to digest and, like the rest of networking, it can be overwhelming where
to start learning about it. Luckily, we've been fortunate enough to have worked with 802.1X since it's
inception, and did the best job we could to explain everything we know about it. Below we will cover
how 802.1X works, it's components, what it's used for, vulnerabilities, how to set it up, and much much
more.

What is IEEE 802.1X?

Devices attempting to connect to a LAN or WLAN require an authentication mechanism. IEEE 802.1X, an
IEEE Standard for Port-Based Network Access Control (PNAC), provides protected authentication for
secure network access.

An 802.1X network is different from home networks in one major way; it has an authentication server
called a RADIUS Server. It checks a user's credentials to see if they are an active member of the
organization and, depending on the network policies, grants users varying levels of access to the
network. This allows unique credentials or certificates to be used per user, eliminating the reliance on a
single network password that can be easily stolen.

KEY TAKEAWAYS

802.1X is an authentication protocol to allow access to networks with the use of a RADIUS server.

802.1X and RADIUS based security is considered the gold standard to secure wireless and wired
networks today.

How Does 802.1X Work?

802.1X is a network authentication protocol that opens ports for network access when an organization
authenticates a user's identity and authorizes them for access to the network. The user's identity is
determined based on their credentials or certificate, which is confirmed by the RADIUS server. The
RADIUS server is able to do this by communicating with the organization's directory, typically over the
LDAP or SAML protocol.

KEY TAKEAWAYS

802.1X gives the device access to the protected side of the network after authentication.

802.1X offers a few different ways to authenticate such as username/password, certificates, OTP, etc..

What is 802.1X EAP Security?

The standard authentication protocol used on encrypted networks is Extensible Authentication Protocol
(EAP), which provides a secure method to send identifying information over-the-air for network
authentication. 802.1X is the standard that is used for passing EAP over wired and wireless Local Area
Networks (LAN). It provides an encrypted EAP tunnel that prevents outside users from intercepting
information.

The EAP protocol can be configured for credential (EAP-TTLS/PAP and PEAP-MSCHAPv2) and digital
certificate (EAP-TLS) authentication and is a highly secure method for protecting the authentication
process.

WPA2-Enterprise Protocols

Level of Encryption Authentication Speed Directory Support User Experience

EAP-TLSPublic-Private Key Cryptography Fast – 12 Steps SAML/LDAP/MFA Servers Best

PEAP-MSCHAPV2 Encrypted Credentials Slow – 22 Steps Active DirectoryAcceptable

EAP-TTLS/PAP Non-Encrypted Credentials Slowest – 25 Steps Non-AD LDAP Servers Poor

KEY TAKEAWAYS

EAP is the tunnel that transfers a user’s identifying information from client to server.

EAP tunnels most often use username/password or certificates

Not all EAP Tunnels are created the same, man-in-the-middle attacks are easier to perform with
username/password
What is 802.1X Used For?

802.1X is used for secure network authentication. If you are an organization dealing with valuable and
sensitive information, you need a secure method of transporting data. 802.1X is used so devices can
communicate securely with access points (enterprise-grade routers). It was historically only used by large
organizations like enterprises, universities, and hospitals, but is rapidly becoming adopted by smaller
businesses because of the growing threats in cyber security.

802.1X is often referred to as WPA2-Enterprise. In contrast, the Pre-Shared Key network security most
often used at home is referred to as WPA2-Personal. WPA2-Personal is not sufficient for any organization
dealing with sensitive information and can put organizations at serious risk for cyber crimes.

KEY TAKEAWAYS

Used to secure connections to wired and wireless networks via rotating key security and avoiding
Open/Un-Encrypted or static key (PSK) connections

802.1X is used in corporate and campus settings where users get authorized or removed from network
access as they enter and leave the organization

Are IEEE 802.1X and Wi-Fi the Same?

Almost. The IEEE 802.1X standard was first designed for use in wired Ethernet networks. Wi-Fi is a
trademarked phrase that refers to the IEEE 802.11x standard specifically – a modified version of the
original standard.

That being said, most security and networking professionals use the term 802.1X for both wired and
wireless networks if they are using WPA2-Enterprise security.

What is Wired 802.1X?

Authenticating a wired network connection for 802.1X is a similar process to wireless. The wired network
user must connect to the secure network from their device and present a signed certificate or valid
credentials to authenticate their identity.

The primary difference is instead of establishing a secure connection with a wireless switch, your device
must be Ethernet connected and authenticate to an 802.1X-capable switch. The device and RADIUS
server establish trust over the wired connection and if the user is recognized, they will be authorized for
secure network use.

How Secure is 802.1X?

When used correctly, it is the golden standard of network authentication security. It can prevent over-
the-air credential theft attacks like Man-in-the-Middle attacks and Evil Twin proxies. It is much more
secure than Pre-Shared Key networks, which are typically used in personal networks.

However, 802.1X security can vary greatly depending on two factors. The first variable occurs if end users
are left to manually configure their devices. The configuration process requires high-level IT knowledge
to understand and if one step is incorrect, they are left vulnerable to credential theft. We highly
recommend using dedicated 802.1X onboarding software instead.

The second variable depends on whether an organization is using credential-based authentication or

certificate-based authentication. Certificate-based EAP-TLS significantly reduces an organization's risk for
credential theft and is the most secure way to use 802.1X. Not only does it stop credentials from being
sent over the air where they can be easily stolen, but it forces users to go through an
enrollment/onboarding process that ensures their devices are configured correctly.

KEY TAKEAWAYS

One of the most secure protocols for network authentication, trumping WPA2/3-PSK and
Open/Unencrypted connections

Requires precise configuration, mistakes made by users lead to security compromise.

Digital certificates instead of username/password based 802.1X mitigates security issues

Is 802.1X Encrypted?

Yes, 802.1X is encrypted.

802.1X WPA is generally reserved for personal networks, such as your home Wi-Fi, and runs on RC4-
based TKIP (Temporal Key Integrity Protocol) encryption. It's less secure than WPA2, but usually sufficient
for home use.
802.1X WPA2 could utilize TKIP, but generally chooses AES (Advanced Encryption Standard), which is the
most secure standard available. It is a little more difficult and costly to set up however, so it's used in
higher-stake environments like businesses.

The Components of 802.1X

There are just a few components that are needed to make 802.1X work. Realistically, if you already have
access points and some spare server space, you possess all the hardware needed to make secure
wireless happen. Sometimes you don't even need the server; some access points come with built-in
software that can operate 802.1X (though only for the smallest of small deployments).

Regardless of whether you purchase professional solutions or build one yourself from open source tools,
the quality and ease of 802.1X is entirely a design aspect.

KEY TAKEAWAYS

802.1X only includes four major components: client, access-point/switch, RADIUS server, and identity
provider

Client / Supplicant

In order for a device to participate in the 802.1X authentication, it must have a piece of software called a
supplicant installed in the network stack. The supplicant is necessary as it will participate in the initial
negotiation of the EAP transaction with the switch or controller and package up the user's credentials in
a manner compliant with 802.1X. If a client does not have a supplicant, the EAP frames sent from the
switch or controller will be ignored and the switch will not be able to authenticate.

Fortunately, almost all devices we might expect to connect to a wireless network have a supplicant built-
in. SecureW2 provides an 802.1X supplicant for devices that don't have one natively.

Thankfully, the vast majority of device manufacturers have built-in support for 802.1X. The most
common exceptions to this might be consumer gear, such as game consoles, entertainment devices or
some printers. Generally speaking, these devices should be less than 10% of the devices on your network
and are best treated as the exception rather than the focus.

KEY TAKEAWAYS

Software on the device that contains the configuration and connection data (certificates/credentials)
which is sent to the access-point/switch

Requires devices be set up precisely to avoid credential theft if username/password authentication is

used. Consider configuration software or switching to certificate-based authentication.

Most OSs for going back 10-15 years have 802.1X support, IoT.support is lacking but catching up

Switch / Access Point / Controller

The switch or wireless controller plays an important role in the 802.1X transaction by acting as a 'broker'
in the exchange. The client does not have network connectivity until there is a successful authentication,
and the only communication is between the client and the switch in the 802.1X exchange.

The switch/controller initiates the exchange by sending an EAPOL-Start packet to the client when the
client connects to the network. The client's responses are forwarded to the correct RADIUS server based
on the configuration in the Wireless Security Settings. When the authentication is complete, the
switch/controller makes a decision whether to authorize the device for network access based on the
user's status and possibly the attributes contained in the Access_Accept packet sent from the RADIUS
server.

If the RADIUS server sends an Access_Accept packet as a result of an authentication, it may contain
certain attributes that provide the switch with information on how to connect the device on the
network. Common attributes will specify which VLAN to assign a user to, or possibly a set of ACLs (Access
Control Lists) the user should be given once connected. This is commonly called 'User Based Policy
Assignment' as the RADIUS server is making the decision based on user credentials. Common use cases
would be to push guest users to a 'Guest VLAN' and employees to an 'Employee VLAN'.

KEY TAKEAWAYS

These devices facilitate communication between the device and the RADIUS server.

The access-point/switch is where you configure the network to use 802.1X instead of Open/Unencrypted
or WPA2/3-PSK.
Act as enforcement points when RADIUS servers return precise access control policy

RADIUS Server

The RADIUS server acts as the “security guard” of the network; as users connect to the network, the
RADIUS authenticates their identity and authorizes them for network use. A user becomes authorized for
network access after enrolling for a certificate from the PKI (Private Key Infrastructure) or confirming
their credentials. Each time the user connects, the RADIUS confirms they have the correct certificate or
credentials and prevents any unapproved users from accessing the network.

A key security mechanism to employ when using a RADIUS is server certificate validation. This
guarantees that the user only connects to the network they intend to by configuring their device to
confirm the identity of the RADIUS by checking the server certificate. If the certificate is not the one
which the device is looking for, it will not send a certificate or credentials for authentication. This
prevents users from falling victim to an Evil Twin proxy attack.

RADIUS servers can also be used to authenticate users from a different organization. Solutions like
Eduroam use RADIUS servers as proxies (such as RADSEC). If a student visits a neighboring university, the
RADIUS server can authenticate their status at their home university and grant them secure network
access at the university they are currently visiting.

KEY TAKEAWAYS

RADIUS Servers are the decision points for devices requesting access to of the protected side of network

RADIUS Servers interact with identity providers to authenticate, authorize and report connections

Why Does 802.1X Need a RADIUS Server?

802.1X needs a RADIUS server because there needs to be a dedicated server to verify credentials. The
authentication facet of 802.1X actually occurs at the RADIUS server. The server checks the directory of
authorized users to confirm whether or not the client has permission to access the network and passes
that information back to the controller/access point. Without a RADIUS server, authentication would
have to occur at the access point (this would require some pretty powerful APs), such as in the case of
PSK (pre-shared key) authentication.

Identity Store / Directory

The Identity Store refers to the entity in which usernames and passwords are stored. In most cases, this
is Active Directory or potentially an LDAP server. Almost any RADIUS server can connect to your AD or
LDAP to validate users. There are a few caveats when LDAP is used, specifically around how the
passwords are hashed in the LDAP server. If your passwords are not stored in cleartext or an NTLM hash,
you will need to choose your EAP methods carefully as certain methods may not be compatible, such as
EAP-PEAP. This is not an issue caused by RADIUS servers, but rather from the password hash.

SecureW2 can help you set up SAML to authenticate users on any Identity Provider for Wi-Fi access. Here
are guides to integrating with some popular products.

To set up SAML authentication within Google Workspace, click here.

Configuring WPA2-Enterprise with Okta, click here.

For a guide on SAML Authentication using Shibboleth, click here.

To configure WPA2-Enterprise with ADFS, click here.

Developing a robust WPA2-Enterprise network requires additional tasks, such as setting up a PKI or CA
(Certificate Authority) and seamlessly distributing certificates to users. But contrary to what you might
think, you can make any of these upgrades without buying new hardware or making changes to the
infrastructure. For example, rolling out guest access or changing the authentication method can be
accomplished without additional infrastructure.

Recently, many institutions have been switching EAP methods from PEAP to EAP-TLS after seeing
noticeable improvement in connection time and roaming ability. Improving the functionality of wireless
networks can be gained without changing a single piece of hardware.

KEY TAKEAWAYS

802.1X traditionally requires a directory (on-prem or cloud) so the RADIUS can communicate to identify
each user and what level of access they are allowed.

Directories use username/passwords which makes them vulnerable to major security issues

Newer cloud identity providers (Azure AD, Okta, Google) can interact with next-gen RADIUS to do
passwordless identity authorization.

How Does 802.1X Authentication Work?

The 802.1X authentication process is comprised of four steps: Initialization, Initiation, Negotiation, and
Authentication.

Initialization

The Initialization step starts when the authenticator detects a new device and attempts to establish a
connection. The authenticator port is set to an “unauthorized” state, meaning that only 802.1X traffic
will be accepted and every other connection will be dropped.

Initiation

The authenticator starts transmitting EAP-Requests to the new device, which then sends EAP responses
back to the authenticator. The response usually contains a way to identify the new device. The
authenticator received the EAP response and relays it to the authentication server in a RADIUS access
request packet.

Negotiation

Once the authentication server receives the request packet, it will respond with a RADIUS access
challenge packet containing the approved EAP authentication method for the device. The authenticator
will then pass on the challenge packet to the device to be authenticated.

Authentication

Once the EAP method is configured on the device, the authentication server will begin sending
configuration profiles so the device will be authenticated. Once the process is complete, the port will be
set to “authorized” and the device is configured to the 802.1X network.

KEY TAKEAWAYS

Typically 802.1X authentication begins with the client requesting access, the RADIUS server verifying the
user against the identity provider, and the access-point/switch allowing access

802.1X authentication works best via certificate because both the user and device context is taken
authentication to prevent over-the-air credential theft.

Bonus: RADIUS Accounting

802.1X RADIUS accounting involves recording the information of devices that are authenticated to the
802.1X network and the session duration. The device information, usually the MAC address and port
number, is sent in a packet to the accounting server when the session begins. The server will receive a
message signaling the end of the session.

While this isn't part of the 802.1X authentication process, we get a lot of questions about accounting, as
RADIUS Servers are often referred to as AAA (Authentication, Authorization, Accounting) servers.

VLAN

A VLAN, or Virtual Local Area Network, is a method of configuring your network to emulate a LAN with
all of the management and security benefits it provides.

Basically, VLANs are segmenting your network to organize the security rules found on a network. For
example, the Open/Guest network is usually put in a different VLAN than the secure network. This helps
to make sure that devices and network resources that are on one VLAN aren't affected if anything bad
happened on a seperate VLAN.

Digital certificates make VLAN assignment a snap because attributes can be encoded into the certificate
that the RADIUS uses to authenticate. You could set up a policy so that anyone with the email domain
“it.company.com” would be automatically assigned a different VLAN segment than “sales.company.com”.

MAC Authentication

MAC authentication, or MAC address authentication, is a simple security measure in which you create a
list of approved MAC addresses that are allowed network access..

Unfortunately, it's not difficult to spoof MAC addresses, so MAC authentication is rarely deployed on
enterprise levels.

MAC RADIUS

MAC RADIUS is a form of MAC Authentication. Instead of using a credential or a certificate to authorize a
device, the RADIUS confirms the MAC address and authenticates.

MAC Bypass

The primary use of MAC Bypass is to tie-in devices that don't support 802.1X (like game consoles,
printers, etc.) to your network. However, it's still vulnerable, so it should be in a separate VLAN.
How do I Configure 802.1X on Devices?

Configure 802.1X on Windows

You can configure 802.1X on Windows OS devices in two ways: manually, or with device onboarding
software.

Manually configuring a Windows device requires the user to set up a new wireless network, enter a
network name, set the security type, adjust network settings, set the authentication method, and many
more steps. While it's certainly possible to complete this process accurately, it is highly complex and
much more difficult than an onboarding software designed for efficiency.

The process for configuring Windows OS with SecureW2 requires the user to connect the onboarding
SSID and open an internet browser. The user is sent to SecureW2's JoinNow onboarding software. After
clicking JoinNow, a graphic will indicate the progress of the configuration. The user will then be
prompted to enter their credentials and the device will be authenticated and equipped with a certificate.

Configure 802.1X on macOS

For macOS, you can either manually configure or employ onboarding software to set up 802.1X.

In order to manually configure macOS, the end user needs to know how to create an enterprise profile,
install a client security certificate, verify the certificate, and adjust the network settings. The process isn't
too difficult for someone with a background in IT, but it is risky for the average network user because of
the high-level technical information involved with each step.

Downloading the SecureW2 JoinNow Suite for macOS enables automation so end users are not required
to complete the process. The setup is similar to Windows OS; the end user starts by connecting to the
onboarding SSID and opens a browser. After downloading the .DMG file and entering their credentials,
the configuration process begins. The entire configuration and authentication requires only a few steps,
allowing the end user to sit back while the device configures.

Configure 802.1X on Android

You are able to configure your Android for 802.1X in two ways: manually through the Wi-Fi settings or
with device onboarding software.

Configuring manually via Wi-Fi settings requires you to create a network profile, configure Server
Certificate Validation (which requires uploading the CA used on the RADIUS Server and the common
name), and configuring the authentication method. If you use device onboarding software, all these
steps are done by an application that can be downloaded from the Play Store that will configure your
organization's network settings for you.

Configure 802.1X on iOS

Configuring 802.1X authentication for iPhones requires you to either manually configure the device or
use onboarding software.

Manual configuration means you need to create a network profile in the Wi-Fi settings and configure
Server Certificate validation and the authentication method. The process is much simpler with
onboarding software because SecureW2 can push a mobile config file to an iPhone device and configure
the network settings automatically.

Configure 802.1X on Linux

Like other operating systems, there are two methods to configure 802.1X on Linux.

The manual configuration is relatively simple. Open up Network Manager, select Edit Connections, find
your access point and click Edit. A new window will open up, choose the tab that says 802.1X settings
and input the information of your network.

For one device, this is a straightforward process. If you need to onboard many devices (and users), you
need SecureW2's automatic device onboarding software. Click here to learn more.

KEY TAKEAWAYS

802.1X settings can include SSID, EAP-type, Auth protocols, certificate/certificate and server certificate
validation which trusts the authentic RADIUS server (vs. Evil twin)
Auto-configuration via onboarding software or MDM or manual configuration are the options.

For unmanaged/BYOD devices onboarding software can mitigate security risk

802.1X vs WPA2-Enterprise

802.1X is an IEEE standard framework for encrypting and authenticating a user who is trying to associate
to a wired or wireless network. WPA-Enterprise uses TKIP with RC4 encryption, while WPA2-Enterprise
adds AES encryption.

Vulnerabilities in 802.1X

No security protocol is invulnerable, and 802.1X is not an exception.

Wireless 802.1X's most common configurations are WPA-PSK (pre-shared key, also called WPA-Personal)
and WPA or WPA2 Enterprise.

PSK is the simplest and the most vulnerable. A password is configured on the access point and
distributed to users of the network. It's intended for personal use, mostly in homes. It's easily cracked
with a run-of-the-mill brute force attack, and is also susceptible to all other common attacks.

Enterprise-level wireless networks are typically not compromised by brute force attacks because their
network administrator will have mandated complex passwords and reset policies. Particular
vulnerabilities vary depending on the authentication standard used by the enterprise network.

PEAP MSCHAPv2 was once the industry standard for WPA2-Enterprise networks, but it's been cracked.
There are still many organizations using this standard, despite the inherent vulnerabilities to over-the-air
attacks.

EAP-TTLS/PAP is another common standard that is also very vulnerable to over-the-air attacks. It's
particularly weak because credentials are sent in clear text, so it's a simple matter for hackers to
intercept and steal. Further exacerbating the problem is the rising popularity of Cloud RADIUS servers.
Many of them only support EAP-TTLS/PAP, so end users are forced to send their credentials in clear text
over the internet.
The strongest WPA2-Enterprise standard is EAP-TLS. It relies on the asymmetrical cryptography of digital
certificates for authentication, which renders it immune to over-the-air attacks. Even if a hacker
intercepts the traffic, they will only harvest one half of the public-private key pair – which is useless
without the other half.

Click here for more details on the steely defenses offered by EAP-TLS.

KEY TAKEAWAYS

Leaving 802.1X configuration to the end user risks misconfiguration and security compromise.

Trusting the right RADIUS Server vs. an evil twin is very important but not mandatory in 802.1X so ensure
certificate validation is always enabled.

Credential-based EAP methods like PEAP-MSCHAPv2 or EAP/TTLS-PAP are vulnerable - switch to

certificate-based EAP-TLS - industry titans like Microsoft recommend moving to certificates

The Best 802.1X Enterprise Solution

The security of your network is the security of your organization. You wouldn't leave your front door
unlocked, so why would you leave your network unsecured?

SecureW2 is trusted by some of the biggest companies in the world to provide the highest level of
security and peace of mind. Our software solutions can be integrated seamlessly into your current
network infrastructure or stand on their own as a fully-managed network security service.

We have affordable options for organizations of any size. Check out our pricing to learn more.

KEY TAKEAWAYS

Implement 802.1X by avoiding username/passwords and deploy digital certificates

Make RADIUS connection decisions based on both user and device information

Consider a cloud-native RADIUS solution that integrates with cloud identities without password based
LDAP