Home Learn CompTIA Security+ 802.1X & Cisco ISE

802.1X & Cisco ISE: Free Security+ Practice Questions + Study Guide

By Moussa BENALI · Updated April 2026 · 12 min read
MB
Moussa BENALI
Senior Network & Security Engineer · 6+ years of experience designing and securing enterprise networks. CCNA, Security+, and AWS certified.
Verified for Security+ SY0-701 · Apr 2026

In This Guide

What is 802.1X?

IEEE 802.1X is a standard for port-based network access control (PNAC). It provides an authentication mechanism for devices trying to connect to a LAN or WLAN. Before a device can send or receive any network traffic, it must prove its identity.

802.1X involves three roles:

The Three 802.1X Roles:
  • Supplicant - the client device requesting network access (laptop, phone, IoT device)
  • Authenticator - the network device controlling access (switch port or wireless AP)
  • Authentication Server - the RADIUS server that verifies credentials (Cisco ISE, FreeRADIUS, Microsoft NPS)

Here's how the process works:

  1. A device connects to a switch port or wireless network
  2. The switch (authenticator) blocks all traffic except EAP (Extensible Authentication Protocol) frames
  3. The supplicant sends its credentials via EAP to the authenticator
  4. The authenticator forwards the EAP messages to the RADIUS server, encapsulated in RADIUS packets
  5. The RADIUS server verifies the credentials against its identity source (Active Directory, LDAP, local database)
  6. If authentication succeeds, the RADIUS server sends an Access-Accept message with authorization attributes (VLAN assignment, ACL, etc.)
  7. The switch opens the port and applies the authorized policy
📝
Security+ Exam Note: 802.1X falls under the Security Architecture domain (approximately 18% of the SY0-701 exam). Know the three roles, understand EAP methods, and be able to explain how NAC provides defense-in-depth at the network access layer.

EAP Methods for 802.1X

EAP (Extensible Authentication Protocol) is a framework that supports multiple authentication methods within 802.1X. Different EAP methods offer different security levels and deployment requirements:

EAP Method Authentication Certificates Required Security Level
EAP-TLS Mutual certificate authentication Server + Client certificates Highest - no passwords involved
PEAP (Protected EAP) Server cert + username/password inside TLS tunnel Server certificate only High - most commonly deployed
EAP-TTLS Server cert + various inner methods in TLS tunnel Server certificate only High - flexible inner methods
EAP-FAST PAC (Protected Access Credential) + tunnel Optional (uses PAC instead) Medium-High - Cisco proprietary
EAP-MD5 Username/password with MD5 hash None Low - no mutual auth, vulnerable to attacks
💡
Exam Tip: For Security+, remember that EAP-TLS is the most secure because it uses mutual certificate authentication (both sides prove identity with certificates). PEAP is the most commonly deployed because it only requires a server certificate and users authenticate with their existing AD credentials.

PEAP in Detail

PEAP (Protected EAP) is the most widely deployed EAP method in enterprise environments because it balances security with ease of deployment:

  1. The RADIUS server presents its certificate to the supplicant
  2. The supplicant validates the server certificate (trusted CA)
  3. A TLS tunnel is established between supplicant and server
  4. Inside this encrypted tunnel, the user authenticates with username/password (using MSCHAPv2)
  5. Credentials are never sent in cleartext because they're protected by the outer TLS tunnel

EAP-TLS in Detail

EAP-TLS provides the strongest security by eliminating passwords entirely:

  • Both the server and client present X.509 certificates
  • Mutual authentication - each side verifies the other's identity
  • Immune to password-based attacks (phishing, brute force, credential stuffing)
  • Requires a PKI (Public Key Infrastructure) to issue and manage client certificates
  • Higher administrative overhead - certificate enrollment, renewal, and revocation must be managed

Cisco ISE Overview

Cisco Identity Services Engine (ISE) is an enterprise-grade RADIUS and policy server that provides centralized network access control. While Security+ is vendor-neutral, understanding ISE helps illustrate how NAC concepts work in practice.

Core ISE Functions

  • Authentication - verifies who or what is connecting (user identity, device type)
  • Authorization - determines what the authenticated entity can access (VLAN, ACL, SGT)
  • Accounting - logs all access events for auditing and compliance
  • Posture Assessment - checks device health (OS patches, antivirus status, disk encryption) before granting access
  • Profiling - automatically identifies device types (laptop, printer, IP phone, IoT) based on network behavior

ISE Policy Framework

ISE uses a layered policy model:

Policy Layer Purpose Example
Authentication Policy Determines how to verify identity Use PEAP-MSCHAPv2 against Active Directory
Authorization Policy Determines what access to grant If employee + compliant device, assign VLAN 100
Posture Policy Defines device health requirements Windows 11 + current patches + AV running
⚠️
Security Principle: ISE implements the zero trust principle at the network access layer. Instead of trusting any device that physically connects, every device must prove its identity and meet health requirements before receiving any network access. This aligns with the Zero Trust Architecture concept tested on Security+.

802.1X Configuration

Here's what 802.1X configuration looks like on the switch (authenticator) side. While Security+ doesn't test vendor-specific commands, understanding the building blocks helps with conceptual questions.

Switch-Side Configuration (Cisco IOS)

Enable AAA and RADIUS
! Enable AAA globally
aaa new-model

! Define RADIUS server
radius server ISE-PRIMARY
 address ipv4 10.1.1.100 auth-port 1812 acct-port 1813
 key MyRadiusSecret123

! Create authentication method list
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
Enable 802.1X on Switch Ports
! Enable 802.1X globally
dot1x system-auth-control

! Configure access port for 802.1X
interface GigabitEthernet0/1
 switchport mode access
 switchport access vlan 100
 authentication port-control auto
 dot1x pae authenticator
 authentication order dot1x mab
 authentication priority dot1x mab

Key configuration concepts:

  • aaa new-model - enables the AAA framework (required for 802.1X)
  • dot1x system-auth-control - enables 802.1X globally on the switch
  • authentication port-control auto - the port starts in unauthorized state and waits for authentication
  • dot1x pae authenticator - sets the port's 802.1X role to authenticator
  • authentication order dot1x mab - try 802.1X first, fall back to MAB if no supplicant responds

RADIUS Communication

The authenticator communicates with the RADIUS server using UDP ports 1812 (authentication) and 1813 (accounting). Legacy systems may use ports 1645/1646. The RADIUS shared secret encrypts the communication between the authenticator and the server.

MAB and Guest Access

MAC Authentication Bypass (MAB)

Not all devices support 802.1X. Printers, IP phones, cameras, and IoT devices typically lack supplicant software. MAB is a fallback authentication method that uses the device's MAC address as its identity.

How MAB works:

  1. The switch detects a new device but receives no 802.1X response
  2. After a timeout, the switch captures the device's MAC address
  3. The switch sends the MAC address to the RADIUS server as both username and password
  4. The RADIUS server checks the MAC against a known-device database
  5. If matched, the server returns the appropriate authorization (VLAN, ACL)
⚠️
Security Limitation: MAB is less secure than 802.1X because MAC addresses can be spoofed. An attacker who knows a printer's MAC address could impersonate it. Always combine MAB with additional controls like device profiling and network segmentation.

Guest Access

For visitors and BYOD (Bring Your Own Device), NAC solutions provide guest access portals:

  • Web Authentication (WebAuth) - redirects unauthenticated users to a captive portal
  • Sponsored Guest - an employee creates a guest account for the visitor
  • Self-Registration - guests register themselves (typically with email or SMS verification)
  • Guest VLAN - guests are placed in an isolated VLAN with limited access (internet only, no internal resources)

Change of Authorization (CoA)

CoA (RFC 5176) allows the RADIUS server to dynamically change a client's authorization after initial authentication. This is critical for posture assessment workflows:

  1. Device authenticates and is placed in a quarantine VLAN for posture assessment
  2. ISE checks the device's health (patches, antivirus, compliance)
  3. If compliant, ISE sends a CoA message to the switch
  4. The switch re-authorizes the device into the appropriate production VLAN - no user action needed

802.1X on the Security+ Exam

Here's what the SY0-701 exam focuses on for 802.1X and NAC:

What You Must Know

  • Three 802.1X roles - supplicant, authenticator, authentication server
  • EAP methods - especially EAP-TLS (most secure) and PEAP (most common)
  • RADIUS - the protocol used between authenticator and auth server
  • NAC concepts - pre-admission vs post-admission controls, posture assessment
  • Certificate-based vs password-based authentication tradeoffs
  • Zero trust alignment - how 802.1X implements "never trust, always verify" at the network layer

What You Don't Need to Know

  • Cisco ISE-specific configuration commands
  • Detailed switch port configuration syntax
  • RADIUS attribute/value pairs (AVPs)
  • ISE deployment architecture (standalone vs distributed)
💡
Exam Strategy: When you see a Security+ question about "the most secure" authentication method for network access, the answer is almost always EAP-TLS (certificate-based). When asked about the "most commonly deployed" or "easiest to implement," it's PEAP.
📖 Study Guide 📝 Free Exam
Included with Exam Purchase

Get the Complete Security+ Study Guide

When you purchase a Security+ practice exam, you get full access to our comprehensive study guides covering every exam domain in depth - not just the free samples here.

All SY0-701 domains covered Detailed explanations 10 free preview pages
Create Free Account to Preview

Want to go deeper?

📖

Complete Security+ Study Guide

Read the full chapter-by-chapter guide - all topics, completely free. No account needed.

 📝

Free Security+ Practice Exam

Take a full timed practice exam and get personalized analysis of your strongest and weakest domains.

802.1X & NAC Practice Questions

Test your understanding with these 5 expert-created questions. Each includes a detailed explanation to reinforce your learning.

Ready for More?

You've just covered 802.1X and Cisco ISE. Here's how to keep preparing for Security+:

📖

Complete Security+ Study Guide

All SY0-701 domains · All topics · Free, no account needed

Read Now → 📝

Free Security+ Practice Exam

90 questions · 90 minutes · Personalized results analysis

Start Exam →

Frequently Asked Questions

Is 802.1X on the Security+ SY0-701 exam?

Yes. 802.1X is covered under the Security Architecture domain (approximately 18% of the SY0-701 exam). You need to understand the three 802.1X roles (supplicant, authenticator, authentication server), common EAP methods, and how NAC provides network-layer security. You won't need to configure ISE from scratch, but you should understand the concepts thoroughly.

What is the most secure EAP method?

EAP-TLS is considered the most secure because it requires certificates on both the client and the server (mutual authentication). This eliminates password-based attacks entirely - no credentials to phish, brute force, or stuff. The tradeoff is that deploying and managing client certificates requires a PKI infrastructure, which adds administrative overhead. For organizations without PKI, PEAP is the next best option.

Do I need to know Cisco ISE specifically for Security+?

Security+ is vendor-neutral, so you won't be tested on Cisco ISE specifically. However, you need to understand the general concepts of NAC (Network Access Control), RADIUS authentication, 802.1X roles, and EAP methods. Understanding how ISE implements these concepts helps solidify the underlying principles that the exam tests.

What is the difference between 802.1X and MAB?

802.1X is a full authentication protocol that uses EAP to verify user or device identity with credentials or certificates. MAB (MAC Authentication Bypass) is a fallback method that authenticates devices based on their MAC address alone. MAB is significantly less secure because MAC addresses can be spoofed, but it's necessary for devices that lack 802.1X supplicant software - printers, IP phones, cameras, and IoT devices.

Continue Studying for Security+

Security+

Types of Attacks & Threats

5 free practice questions + study guide

 Security+

Cryptography & PKI

5 free practice questions + study guide

 Trending

Zero Trust Architecture

Complete guide to ZTNA in 2026