How to Implement 802.1X Network Access Control with Active Directory

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Network access control based on 802.1X is the difference between a network where any physical or wireless connection gets production access, and one where only authenticated domain-joined devices with valid certificates can connect. An attacker with physical access to a network port or within Wi-Fi range of a corporate SSID is stopped at the port level before they reach any network resource.
The architecture has four components: the supplicant (domain-joined client running the 802.1X client), the authenticator (switch or WAP that enforces access), the RADIUS server (NPS on Windows Server), and the identity store (Active Directory + enterprise CA). Certificate-based authentication (EAP-TLS) is preferred over PEAP-MSCHAPv2 because it does not rely on passwords.
Step 1: Enterprise PKI and Certificate Templates
802.1X with EAP-TLS requires machine certificates issued by the enterprise CA (Active Directory Certificate Services) on all domain clients, and a server certificate on the NPS server.
Prerequisites:
- Active Directory Certificate Services (ADCS) installed and configured
- Domain CA issuing certificates to domain members
Create two certificate templates in Certificate Authority snap-in:
1. NPS Server Certificate:
Duplicate the "Web Server" template
Name: "NPS-Server-Auth"
Subject Name: Common name = NPS server FQDN
Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)
Subject Name tab: "Build from Active Directory information"
Security tab: NPS server computer account = Read, Enroll
2. Machine (Workstation) Certificate:
Duplicate the "Computer" template
Name: "Domain-Machine-Auth"
Enhanced Key Usage: Client Authentication (1.3.6.1.5.5.7.3.2)
Subject Name tab: "Build from Active Directory information"
Security tab: Domain Computers group = Read, Enroll, Autoenroll
# Publish the templates in CA:
# Right-click Certificate Templates in CA snap-in > New > Certificate Template to Issue
# Select both templates you created
# Verify auto-enrollment GPO is configured to issue machine certs:
# GPO: Computer Configuration > Windows Settings > Security Settings >
# Public Key Policies > Certificate Services Client - Auto-Enrollment
# Action: Enroll certificates automatically = Enabled
# Force auto-enrollment on a test machine:
gpupdate /force
certutil -pulse # Triggers certificate enrollment
certlm.msc # View Computer certificates store: should show domain-issued cert
Step 2: NPS (RADIUS) Server Configuration
# Install NPS on Windows Server:
Install-WindowsFeature NPAS -IncludeManagementTools
# Open NPS console and perform initial configuration:
# NPS (Local) > Standard Configuration
# "RADIUS server for 802.1X Wireless or Wired Connections"
# Follow the wizard to create:
# - RADIUS Clients (your switches/WAPs)
# - Network Policies (who gets access)
Register NPS in Active Directory (required for domain auth):
# Must run on the NPS server:
netsh nps add registeredserver
# Or via NPS console: NPS (Local) > right-click > Register Server in Active Directory
# This adds the NPS computer account to the "RAS and IAS Servers" security group
# allowing it to read dial-in properties from AD user/computer accounts
Configure RADIUS Client (your switch or WAP):
NPS console > RADIUS Clients and Servers > RADIUS Clients > New
Friendly name: SW-CORE-01
Address: 10.1.0.1 (IP of the switch)
Shared secret: [generate a long random string, save to vault]
Vendor name: RADIUS Standard
# The same shared secret goes in the switch configuration
Create NPS Network Policy (who gets access):
NPS console > Policies > Network Policies > New
Policy name: 802.1X-Domain-Machines
Type: Unspecified
Conditions:
Windows Groups: Domain Computers ← Only domain-joined machines
Authentication Type: EAP (for certificate) or PEAP (for password)
Health Policies: optional: use with NAP for compliance checking
Constraints:
Authentication Methods:
Add EAP Types:
- Microsoft: Smart Card or other certificate ← EAP-TLS (certificate-based)
- Microsoft: Protected EAP (PEAP) ← PEAP-MSCHAPv2 (password-based)
Settings:
RADIUS Attributes > Standard:
Tunnel-Type: Virtual LANs (VLAN)
Tunnel-Medium-Type: 802
Tunnel-Pvt-Group-ID: [your production VLAN ID, e.g., 10]
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Step 3: Switch and WAP Configuration
Cisco IOS switch port configuration:
! Global RADIUS configuration:
radius server NPS-01
address ipv4 10.0.0.50 auth-port 1812 acct-port 1813
key [shared_secret_from_vault]
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
dot1x system-auth-control
! Per-port configuration (access ports only, not trunk ports):
interface range GigabitEthernet1/0/1 - 48
switchport mode access
switchport access vlan 10 ! Default VLAN before auth
dot1x port-control auto ! Enforce 802.1X
dot1x timeout tx-period 10
! MAB fallback for non-802.1X devices (printers, IoT):
mab
authentication order dot1x mab ! Try 802.1X first, MAB second
authentication priority dot1x mab
! Guest VLAN for unknown devices (optional):
dot1x guest-vlan 99
spanning-tree portfast ! Needed for 802.1X to work (no STP delay)
Wireless (WPA Enterprise / 802.1X):
Cisco WLC or Meraki configuration for WPA Enterprise:
SSID: Corp-Wireless
Security: WPA2-Enterprise
RADIUS Authentication Server: 10.0.0.50 (NPS) port 1812
RADIUS Shared Secret: [from vault]
EAP Method: EAP-TLS (preferred) or PEAP
For Meraki:
Wireless > SSIDs > [SSID] > Access Control
Association requirements: WPA2-Enterprise
RADIUS servers: Add NPS server IP + shared secret
Step 4: GPO Deployment of 802.1X Supplicant
Deploy the 802.1X client settings via GPO so domain machines authenticate automatically without user interaction.
Wired 802.1X GPO:
GPO name: 802.1X-Wired-Client-Policy
Link to: Domain Computers OU
Computer Configuration > Windows Settings > Security Settings >
Wired Network (IEEE 802.3) Policies > Create New Policy
General tab:
Policy Name: Wired-802.1X
Use Windows Wired Auto Config service: Checked
Security tab:
Enable IEEE 802.1X authentication: Checked
Authentication method: Microsoft: Smart Card or other certificate (EAP-TLS)
or: Microsoft: Protected EAP (PEAP)
For EAP-TLS:
Properties > Certificate: [select enterprise root CA]
Verify server's identity: Checked
Connect only to these servers: [NPS server FQDN]
Use simple certificate selection: Checked
Wireless 802.1X GPO:
GPO name: 802.1X-Wireless-Client-Policy
Computer Configuration > Windows Settings > Security Settings >
Wireless Network (IEEE 802.11) Policies > Create New Policy
Infrastructure SSID: Corp-Wireless
Security Type: WPA2-Enterprise
Encryption Type: AES
Authentication: Microsoft: Smart Card or other certificate (EAP-TLS)
Server Validation: Trust the CA, verify server name: [NPS FQDN]
Verify 802.1X authentication is working:
# On NPS server: check NPS event log for authentication success/failure:
Get-WinEvent -LogName 'Security' | Where-Object { $_.Id -in (6272, 6273) } |
Select-Object -First 10
# Event 6272: NPS granted access (success)
# Event 6273: NPS denied access (failure: check reason code)
# Enable NPS request logging for detailed RADIUS accounting:
# NPS console > Accounting > Configure Accounting >
# Log to a text file: C:\Windows\system32\LogFiles\RADIUS*.log
# On client: check dot1x authentication status:
netsh lan show interfaces
# Authentication Status: Authenticated = success
# Authentication Status: Authenticating... = cert or NPS policy issue
# Detailed dot1x log:
Get-WinEvent -LogName 'Microsoft-Windows-Wired-AutoConfig/Operational' |
Select-Object -First 20 | Format-List
The bottom line
802.1X NAC implementation requires four components working together: (1) enterprise PKI issuing machine certificates via auto-enrollment GPO, (2) NPS server registered in Active Directory with a RADIUS client entry per switch/WAP and a network policy requiring certificate or PEAP authentication from Domain Computers, (3) switch ports configured with dot1x port-control auto and MAB fallback for non-supplicant devices, (4) GPO deploying the 802.1X supplicant settings to domain clients. Monitor NPS Event 6272 (access granted) and 6273 (access denied) to verify operation. Use a guest VLAN (dot1x guest-vlan 99) to isolate unauthenticated devices rather than blocking all access during rollout.
Frequently asked questions
What is the difference between EAP-TLS and PEAP-MSCHAPv2 in 802.1X?
EAP-TLS authenticates using certificates on both sides: the client presents its machine certificate, the NPS server presents its server certificate, and both are validated. It is the most secure method because credential theft is ineffective (there is no password to steal). PEAP-MSCHAPv2 tunnels a password-based exchange inside a TLS session to the NPS server: it is easier to deploy (no machine certificates required) but relies on password security and is susceptible to attacks against the MSCHAPv2 exchange if the outer TLS is misconfigured.
How do non-802.1X devices like printers connect with NAC enabled?
Use MAC Authentication Bypass (MAB) as a fallback: configure switch ports with `authentication order dot1x mab` so 802.1X is attempted first; if the device does not respond (no EAP supplicant), the switch sends the device's MAC address to NPS as the RADIUS username. In NPS, create a separate network policy with a Windows Group condition matching a security group of approved MAC addresses (formatted as AA-BB-CC-DD-EE-FF) to grant those devices a restricted VLAN. MAB is weaker than 802.1X because MAC addresses can be spoofed.
What is 802.1X and how does it improve network security?
802.1X is an IEEE standard for port-based Network Access Control (NAC). When a device connects to a switch port with 802.1X enabled, the switch (authenticator) requests credentials before allowing any network traffic. The device (supplicant) provides credentials via EAP; the switch forwards them to a RADIUS server (NPS on Windows, or FreeRADIUS) for verification. Only authenticated devices receive network access — unauthenticated devices are blocked or placed in a quarantine VLAN. 802.1X prevents unauthorized devices (rogue laptops, unsanctioned IoT) from connecting to the network. It provides device-level access control that complements user-level authentication.
What is the difference between EAP-TLS and PEAP-MSCHAPv2 for 802.1X?
EAP-TLS uses mutual certificate authentication: both the client and server present certificates. It is the most secure 802.1X method — no password is transmitted, and both parties authenticate by certificate. It requires client certificates deployed to all endpoints (via auto-enrollment from an internal CA, typically with Intune or SCCM). PEAP-MSCHAPv2 authenticates the server by certificate (client verifies the RADIUS server cert) and the client by username/password — no client certificate required. PEAP-MSCHAPv2 is easier to deploy but is vulnerable to credential theft if the client does not properly validate the server certificate. EAP-TLS is the recommended standard for enterprise environments.
What is the difference between LOLBAS and GTFO Bins?
LOLBAS (Living Off the Land Binaries, Libraries and Scripts) documents Windows native executables, libraries, and scripts that can be abused for offensive purposes -- the lolbas.project.github.io catalog lists executables with functions (Execute, Download, Copy, Encode) and references. GTFO Bins (gtfobins.github.io) is the Linux equivalent: it documents Unix binaries (bash, curl, python, find, awk) with techniques for privilege escalation, file reads, reverse shells, and bypassing restrictions. Both are defender reference resources: check these catalogs to understand which native binaries in your environment could be abused for each function, then build detection coverage around the highest-risk ones.
How do you handle 802.1X authentication failures for domain-joined machines when certificates expire or NPS becomes unavailable?
Certificate expiry is the most common 802.1X outage cause in production deployments. Domain machine certificates auto-enrolled via GPO should have 1-2 year validity; set the renewal threshold in the certificate template to 20% of lifetime so Auto-Enrollment renews certificates before they expire. Monitor for upcoming expiry by querying the enterprise CA: 'certutil -view -restrict "NotAfter<=01/01/2026" csv' to list certificates expiring before a target date. For NPS unavailability: configure at least two NPS servers as RADIUS servers on every switch and WAP, with the same shared secret, so each authenticator automatically fails over. Configure an auth-fail VLAN on switch ports ('dot1x auth-fail vlan 99') as a fallback for when RADIUS is unreachable: this gives computers enough network access to retrieve GPO updates and restore the configuration, while keeping them off the production VLAN. For servers and critical infrastructure where connectivity must be maintained, configure MAC Authentication Bypass as a fallback with those MAC addresses whitelisted in a separate NPS policy so an NPS outage does not cause a production outage for managed devices.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
