PEAP-MSCHAPv2
Protocol Extension Authentication Protocol with MSCHAPv2: the most common 802.1X method for password-based user authentication; more secure is EAP-TLS which uses certificates instead of passwords
EAP-TLS
Extensible Authentication Protocol Transport Layer Security: certificate-based 802.1X authentication; the most secure method because the device certificate (not a password) authenticates the machine, making credential theft ineffective
NPS
Network Policy Server: Microsoft's built-in RADIUS server; authenticates 802.1X requests against Active Directory, evaluates network policies (which devices/users get which VLAN), and logs authentication events
MAB
MAC Authentication Bypass: fallback mechanism for devices that cannot do 802.1X (printers, IoT); the switch authenticates the MAC address to RADIUS instead of running EAP; weaker but necessary for non-supplicant devices

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Network access control based on 802.1X is the difference between a network where any physical or wireless connection gets production access, and one where only authenticated domain-joined devices with valid certificates can connect. An attacker with physical access to a network port or within Wi-Fi range of a corporate SSID is stopped at the port level before they reach any network resource.

The architecture has four components: the supplicant (domain-joined client running the 802.1X client), the authenticator (switch or WAP that enforces access), the RADIUS server (NPS on Windows Server), and the identity store (Active Directory + enterprise CA). Certificate-based authentication (EAP-TLS) is preferred over PEAP-MSCHAPv2 because it does not rely on passwords.

Step 1: Enterprise PKI and Certificate Templates

802.1X with EAP-TLS requires machine certificates issued by the enterprise CA (Active Directory Certificate Services) on all domain clients, and a server certificate on the NPS server.

Prerequisites:
- Active Directory Certificate Services (ADCS) installed and configured
- Domain CA issuing certificates to domain members

Create two certificate templates in Certificate Authority snap-in:

1. NPS Server Certificate:
   Duplicate the "Web Server" template
   Name: "NPS-Server-Auth"
   Subject Name: Common name = NPS server FQDN
   Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)
   Subject Name tab: "Build from Active Directory information"
   Security tab: NPS server computer account = Read, Enroll

2. Machine (Workstation) Certificate:
   Duplicate the "Computer" template  
   Name: "Domain-Machine-Auth"
   Enhanced Key Usage: Client Authentication (1.3.6.1.5.5.7.3.2)
   Subject Name tab: "Build from Active Directory information"
   Security tab: Domain Computers group = Read, Enroll, Autoenroll
# Publish the templates in CA:
# Right-click Certificate Templates in CA snap-in > New > Certificate Template to Issue
# Select both templates you created

# Verify auto-enrollment GPO is configured to issue machine certs:
# GPO: Computer Configuration > Windows Settings > Security Settings >
# Public Key Policies > Certificate Services Client - Auto-Enrollment
# Action: Enroll certificates automatically = Enabled

# Force auto-enrollment on a test machine:
gpupdate /force
certutil -pulse  # Triggers certificate enrollment
certlm.msc  # View Computer certificates store: should show domain-issued cert

Step 2: NPS (RADIUS) Server Configuration

# Install NPS on Windows Server:
Install-WindowsFeature NPAS -IncludeManagementTools

# Open NPS console and perform initial configuration:
# NPS (Local) > Standard Configuration
# "RADIUS server for 802.1X Wireless or Wired Connections"
# Follow the wizard to create:
#   - RADIUS Clients (your switches/WAPs)
#   - Network Policies (who gets access)

Register NPS in Active Directory (required for domain auth):

# Must run on the NPS server:
netsh nps add registeredserver
# Or via NPS console: NPS (Local) > right-click > Register Server in Active Directory
# This adds the NPS computer account to the "RAS and IAS Servers" security group
# allowing it to read dial-in properties from AD user/computer accounts

Configure RADIUS Client (your switch or WAP):

NPS console > RADIUS Clients and Servers > RADIUS Clients > New

Friendly name: SW-CORE-01
Address: 10.1.0.1  (IP of the switch)
Shared secret: [generate a long random string, save to vault]
Vendor name: RADIUS Standard

# The same shared secret goes in the switch configuration

Create NPS Network Policy (who gets access):

NPS console > Policies > Network Policies > New

Policy name: 802.1X-Domain-Machines
Type: Unspecified

Conditions:
  Windows Groups: Domain Computers  ← Only domain-joined machines
  Authentication Type: EAP (for certificate) or PEAP (for password)
  Health Policies: optional: use with NAP for compliance checking

Constraints:
  Authentication Methods:
    Add EAP Types:
    - Microsoft: Smart Card or other certificate  ← EAP-TLS (certificate-based)
    - Microsoft: Protected EAP (PEAP)             ← PEAP-MSCHAPv2 (password-based)

Settings:
  RADIUS Attributes > Standard:
    Tunnel-Type: Virtual LANs (VLAN)
    Tunnel-Medium-Type: 802
    Tunnel-Pvt-Group-ID: [your production VLAN ID, e.g., 10]
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Step 3: Switch and WAP Configuration

Cisco IOS switch port configuration:

! Global RADIUS configuration:
radius server NPS-01
 address ipv4 10.0.0.50 auth-port 1812 acct-port 1813
 key [shared_secret_from_vault]

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

dot1x system-auth-control

! Per-port configuration (access ports only, not trunk ports):
interface range GigabitEthernet1/0/1 - 48
 switchport mode access
 switchport access vlan 10         ! Default VLAN before auth
 dot1x port-control auto           ! Enforce 802.1X
 dot1x timeout tx-period 10
 ! MAB fallback for non-802.1X devices (printers, IoT):
 mab
 authentication order dot1x mab    ! Try 802.1X first, MAB second
 authentication priority dot1x mab
 ! Guest VLAN for unknown devices (optional):
 dot1x guest-vlan 99
 spanning-tree portfast             ! Needed for 802.1X to work (no STP delay)

Wireless (WPA Enterprise / 802.1X):

Cisco WLC or Meraki configuration for WPA Enterprise:

SSID: Corp-Wireless
Security: WPA2-Enterprise
RADIUS Authentication Server: 10.0.0.50 (NPS) port 1812
RADIUS Shared Secret: [from vault]
EAP Method: EAP-TLS (preferred) or PEAP

For Meraki:
Wireless > SSIDs > [SSID] > Access Control
Association requirements: WPA2-Enterprise
RADIUS servers: Add NPS server IP + shared secret

Step 4: GPO Deployment of 802.1X Supplicant

Deploy the 802.1X client settings via GPO so domain machines authenticate automatically without user interaction.

Wired 802.1X GPO:

GPO name: 802.1X-Wired-Client-Policy
Link to: Domain Computers OU

Computer Configuration > Windows Settings > Security Settings >
Wired Network (IEEE 802.3) Policies > Create New Policy

General tab:
  Policy Name: Wired-802.1X
  Use Windows Wired Auto Config service: Checked

Security tab:
  Enable IEEE 802.1X authentication: Checked
  Authentication method: Microsoft: Smart Card or other certificate (EAP-TLS)
  or: Microsoft: Protected EAP (PEAP)
  
  For EAP-TLS:
  Properties > Certificate: [select enterprise root CA]
  Verify server's identity: Checked
  Connect only to these servers: [NPS server FQDN]
  Use simple certificate selection: Checked

Wireless 802.1X GPO:

GPO name: 802.1X-Wireless-Client-Policy

Computer Configuration > Windows Settings > Security Settings >
Wireless Network (IEEE 802.11) Policies > Create New Policy

Infrastructure SSID: Corp-Wireless
Security Type: WPA2-Enterprise
Encryption Type: AES
Authentication: Microsoft: Smart Card or other certificate (EAP-TLS)
Server Validation: Trust the CA, verify server name: [NPS FQDN]

Verify 802.1X authentication is working:

# On NPS server: check NPS event log for authentication success/failure:
Get-WinEvent -LogName 'Security' | Where-Object { $_.Id -in (6272, 6273) } | 
  Select-Object -First 10
# Event 6272: NPS granted access (success)
# Event 6273: NPS denied access (failure: check reason code)

# Enable NPS request logging for detailed RADIUS accounting:
# NPS console > Accounting > Configure Accounting >
# Log to a text file: C:\Windows\system32\LogFiles\RADIUS*.log

# On client: check dot1x authentication status:
netsh lan show interfaces
# Authentication Status: Authenticated = success
# Authentication Status: Authenticating... = cert or NPS policy issue

# Detailed dot1x log:
Get-WinEvent -LogName 'Microsoft-Windows-Wired-AutoConfig/Operational' |
  Select-Object -First 20 | Format-List

The bottom line

802.1X NAC implementation requires four components working together: (1) enterprise PKI issuing machine certificates via auto-enrollment GPO, (2) NPS server registered in Active Directory with a RADIUS client entry per switch/WAP and a network policy requiring certificate or PEAP authentication from Domain Computers, (3) switch ports configured with dot1x port-control auto and MAB fallback for non-supplicant devices, (4) GPO deploying the 802.1X supplicant settings to domain clients. Monitor NPS Event 6272 (access granted) and 6273 (access denied) to verify operation. Use a guest VLAN (dot1x guest-vlan 99) to isolate unauthenticated devices rather than blocking all access during rollout.

Frequently asked questions

What is the difference between EAP-TLS and PEAP-MSCHAPv2 in 802.1X?

EAP-TLS authenticates using certificates on both sides: the client presents its machine certificate, the NPS server presents its server certificate, and both are validated. It is the most secure method because credential theft is ineffective (there is no password to steal). PEAP-MSCHAPv2 tunnels a password-based exchange inside a TLS session to the NPS server: it is easier to deploy (no machine certificates required) but relies on password security and is susceptible to attacks against the MSCHAPv2 exchange if the outer TLS is misconfigured.

How do non-802.1X devices like printers connect with NAC enabled?

Use MAC Authentication Bypass (MAB) as a fallback: configure switch ports with `authentication order dot1x mab` so 802.1X is attempted first; if the device does not respond (no EAP supplicant), the switch sends the device's MAC address to NPS as the RADIUS username. In NPS, create a separate network policy with a Windows Group condition matching a security group of approved MAC addresses (formatted as AA-BB-CC-DD-EE-FF) to grant those devices a restricted VLAN. MAB is weaker than 802.1X because MAC addresses can be spoofed.

What is 802.1X and how does it improve network security?

802.1X is an IEEE standard for port-based Network Access Control (NAC). When a device connects to a switch port with 802.1X enabled, the switch (authenticator) requests credentials before allowing any network traffic. The device (supplicant) provides credentials via EAP; the switch forwards them to a RADIUS server (NPS on Windows, or FreeRADIUS) for verification. Only authenticated devices receive network access — unauthenticated devices are blocked or placed in a quarantine VLAN. 802.1X prevents unauthorized devices (rogue laptops, unsanctioned IoT) from connecting to the network. It provides device-level access control that complements user-level authentication.

What is the difference between EAP-TLS and PEAP-MSCHAPv2 for 802.1X?

EAP-TLS uses mutual certificate authentication: both the client and server present certificates. It is the most secure 802.1X method — no password is transmitted, and both parties authenticate by certificate. It requires client certificates deployed to all endpoints (via auto-enrollment from an internal CA, typically with Intune or SCCM). PEAP-MSCHAPv2 authenticates the server by certificate (client verifies the RADIUS server cert) and the client by username/password — no client certificate required. PEAP-MSCHAPv2 is easier to deploy but is vulnerable to credential theft if the client does not properly validate the server certificate. EAP-TLS is the recommended standard for enterprise environments.

What is the difference between LOLBAS and GTFO Bins?

LOLBAS (Living Off the Land Binaries, Libraries and Scripts) documents Windows native executables, libraries, and scripts that can be abused for offensive purposes -- the lolbas.project.github.io catalog lists executables with functions (Execute, Download, Copy, Encode) and references. GTFO Bins (gtfobins.github.io) is the Linux equivalent: it documents Unix binaries (bash, curl, python, find, awk) with techniques for privilege escalation, file reads, reverse shells, and bypassing restrictions. Both are defender reference resources: check these catalogs to understand which native binaries in your environment could be abused for each function, then build detection coverage around the highest-risk ones.

How do you handle 802.1X authentication failures for domain-joined machines when certificates expire or NPS becomes unavailable?

Certificate expiry is the most common 802.1X outage cause in production deployments. Domain machine certificates auto-enrolled via GPO should have 1-2 year validity; set the renewal threshold in the certificate template to 20% of lifetime so Auto-Enrollment renews certificates before they expire. Monitor for upcoming expiry by querying the enterprise CA: 'certutil -view -restrict "NotAfter<=01/01/2026" csv' to list certificates expiring before a target date. For NPS unavailability: configure at least two NPS servers as RADIUS servers on every switch and WAP, with the same shared secret, so each authenticator automatically fails over. Configure an auth-fail VLAN on switch ports ('dot1x auth-fail vlan 99') as a fallback for when RADIUS is unreachable: this gives computers enough network access to retrieve GPO updates and restore the configuration, while keeping them off the production VLAN. For servers and critical infrastructure where connectivity must be maintained, configure MAC Authentication Bypass as a fallback with those MAC addresses whitelisted in a separate NPS policy so an NPS outage does not cause a production outage for managed devices.

Sources & references

  1. Microsoft: NPS and 802.1X for Wired
  2. Microsoft: Deploy 802.1X Wireless Authentication
  3. IEEE 802.1X Standard Overview

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.