Skip to main content

Search

Cloudi-Fi Knowledge Base

Introduction to 802.1X and NAC authentication with Cloudi-Fi Cloud RADIUS

Default Admin
  • Updated

802.1X and NAC authentication with Cloudi-Fi Cloud RADIUS offers centralized, secure network access control, ensuring only verified users and devices connect and preventing unauthorized access.

 

Why 802.1X?

802.1X is the standard for Port-Based Network Access Control and is used to authenticate devices when they connect to a wired (LAN) or wireless (WLAN) network. Unlike a shared Wi-Fi password that gives all devices equal access, 802.1X requires each device or user to authenticate individually.

Benefits:

  • Eliminates the risk of compromised shared passwords
  • Enables dynamic access policies (e.g., VLAN assignment) based on user or device

 

How 802.1X Authentication Works

802.1X prevents a device from accessing the network until it has successfully proven its identity. The process is managed by a central RADIUS server, which validates credentials against a trusted identity source.

Workflow:

  1. Detection: An authenticator (switch or access point) detects a new device (supplicant) attempting to connect.
  2. Request: The supplicant exchanges identifying information using the Extensible Authentication Protocol (EAP).
  3. Validation: The authenticator forwards the EAP requests to the Cloud RADIUS server, which validates credentials against a trusted directory or PKI.
  4. Authorization: On successful authentication, the RADIUS server sends a positive response and dynamic access policies (VLANs, ACLs).

Access: The authenticator opens the network port and applies the specified policies, granting network access.

 

The 802.1X Components

Supplicant (Client Device)

  • Software client on the device (laptop, smartphone, IoT device) initiating authentication
  • Built into most modern OSes
  • Responsible for presenting credentials or certificates
  • Key takeaway: Each device must have a correctly configured supplicant. Certificates are more secure than usernames and passwords.

Authenticator (Switch, AP, or Controller)

  • Network access device enforcing authentication
  • Holds the port “unauthorized” until authentication succeeds
  • Forwards EAP messages to the RADIUS server
  • Key takeaway: Authenticator is the enforcement point for RADIUS access decisions

RADIUS Server (Cloudi-Fi Cloud RADIUS)

  • Central system handling authentication requests
  • Validates credentials against an identity provider (Certificates or Microsoft Entra ID)
  • Sends access policies upon successful authentication

Cloudi-Fi - 802.1X authentication process

Authentication Sequence (Simplified)

Cloudi-Fi - 802.1X Authentication Sequence.png
  1. Initialization: Authenticator detects a new device and sets the port to “unauthorized,” blocking traffic except EAP packets.
  2. Initiation: Authenticator sends an EAP-Request for identity; the supplicant responds with EAP-Response.
  3. Negotiation: RADIUS server challenges the supplicant and selects the authentication method (certificate or OAuth2).
  4. Authentication: Supplicant provides credentials to the RADIUS server, which validates them against the identity provider.
  5. Accounting: RADIUS logs session details (MAC address, port, session duration) for monitoring and auditing.

 

How to deploy 802.1X authentication with Cloudi-Fi

Step 1 : configure your authentication providers in Cloudi-Fi

This step involves activating your identity provider in the Cloudi-Fi Admin UI. Cloudi-Fi Cloud RADIUS supports a variety of NAC Identity providers such as.

  • Certificate-based
    • Uses digital certificates issued by your corporate CA to authenticate devices
    • RADIUS server verifies the certificate is signed by a trusted CA and checks validity and revocation status
    • Dynamic access policies (e.g., VLAN assignment) are applied based on certificate attributes
    • Provides secure, automated device authentication without relying on usernames or passwords
  • Identity-based (Microsoft Entra ID with OAuth2)
    • Uses existing corporate credentials to authenticate users
    • RADIUS server interacts with Microsoft Entra ID for user sign-in
    • Access policies are applied based on user group membership or claims from Entra ID
    • Simplifies user authentication while integrating with corporate identity management

Step 2 : deploy your SSID configuration

Once you have completed your provider configuration, you will need to deploy the SSID configuration in order to set up authentication through the Cloudi-Fi RADIUS server. Below, you will find the deployment procedure for various vendors, such as 

 

Additional resources

Understanding 802.1X authentication in modern networks

WPA2/3-Enterprise with 802.1X authentication explained

Complete guide to 802.1X authentication