What is CertGuide.ai?

CertGuide.ai is an AI-powered certification prep platform that helps you pass CompTIA exams like Security+, Network+, and A+. It maps all exam concepts, diagnoses your weak areas, and creates personalized study plans.

How does CertGuide compare to CertMaster?

CertGuide.ai offers AI-powered diagnostics that map your knowledge across all 183 Security+ concepts, personalized study plans, and an AI tutor. Unlike traditional prep tools, CertGuide shows you exactly which concepts need work and tracks your progress to exam readiness.

What is the pass rate for CertGuide users?

99% of CertGuide users who reach 95% concept mastery pass their certification exam on the first attempt.

How much does CertGuide cost?

CertGuide offers a free baseline assessment to diagnose your current knowledge. Full course access is $49 per certification exam.

Which CompTIA certifications does CertGuide support?

CertGuide currently supports CompTIA Security+ (SY0-701), with Network+ and A+ (Core 1 & Core 2) launching soon.

What is the difference between 802.1X and MAC filtering?

802.1X authenticates users with credentials (username/password or certificates) through RADIUS, providing true identity verification. MAC filtering only checks the device's hardware address, which can easily be spoofed. 802.1X is much more secure but requires more infrastructure.

What is the difference between EAP-TLS and PEAP?

EAP-TLS requires certificates on both client and server for mutual authentication—most secure but requires PKI infrastructure. PEAP only requires a server certificate; clients authenticate with username/password inside an encrypted tunnel. PEAP is simpler to deploy with Active Directory.

What is a RADIUS server in 802.1X?

RADIUS is the authentication server in 802.1X that validates user credentials against a directory (like Active Directory) and makes access decisions. It communicates with the switch/WAP (authenticator) and can assign VLAN membership and apply access policies based on user or device attributes.

What happens when a device fails NAC posture assessment?

Non-compliant devices are typically placed in a remediation VLAN with limited access—usually only to update servers, patch services, or antivirus downloads. After the device becomes compliant (updated AV, patches applied), it can reauthenticate for full network access.

Objective 3.2High11 min

Port Security

Securing network ports using 802.1X authentication and Extensible Authentication Protocol (EAP). Covers network access control at the port level, MAC-based security, and NAC deployment strategies.

Understanding Port Security

Port security controls who can connect to network ports—both physical switch ports and wireless access points. Without port-level security, anyone can plug in a device and access the network.

Port security mechanisms: • 802.1X — Authentication protocol for port-based access control • EAP — Extensible Authentication Protocol for credential exchange • MAC filtering — Allow/deny based on hardware addresses • NAC — Network Access Control for compliance enforcement

The 2017 Equifax breach highlighted the importance of network segmentation and access control—attackers moved freely across the network once inside. Proper 802.1X implementation creates authentication boundaries that slow lateral movement.

Port security is the first line of defense against unauthorized network access.

Why This Matters for the Exam

Port security is heavily tested on SY0-701 because it's fundamental to network access control. Questions cover 802.1X architecture, EAP types, and NAC implementations.

Understanding port security helps with network design, compliance (many frameworks require NAC), and incident response. Unsecured ports allow rogue devices and lateral movement.

The exam tests both protocol understanding and practical deployment scenarios.

Deep Dive

What Is 802.1X and How Does It Work?

802.1X is an IEEE standard for port-based network access control (PNAC).

802.1X Components:

Component	Role	Example
Supplicant	Client requesting access	Laptop, phone
Authenticator	Controls port access	Switch, WAP
Authentication Server	Validates credentials	RADIUS server

802.1X Authentication Flow:

802.1X Authentication Flow

Supplicant

Client

Authenticator

Switch/WAP

Auth Server

RADIUS

EAPOL→

←EAP Req

EAP Resp→

RADIUS

←Accept

←Success

Port Opened

Port starts unauthorized → Auth succeeds → Port authorized

Before Authentication:

•Port is in "unauthorized" state—only 802.1X traffic allowed.

After Authentication:

•Port transitions to "authorized" state—full network access granted.

What Are the Different EAP Types?

EAP (Extensible Authentication Protocol) is the framework for authentication within 802.1X.

Common EAP Types:

EAP Type	Authentication Method	Security Level
EAP-TLS	Client certificate	Highest (mutual auth)
EAP-TTLS	Server cert + credentials	High
PEAP	Server cert + credentials	High
EAP-FAST	PAC + credentials	High (no PKI needed)
EAP-MD5	Password hash	Low (avoid)

EAP-TLS (Most Secure):

Requires: Certificate on BOTH client AND server
Mutual authentication
No passwords transmitted
Highest security, highest complexity

PEAP (Protected EAP):

Server presents certificate
Client validates server
TLS tunnel established
Username/password sent in tunnel
Most common enterprise deployment

EAP-FAST (Cisco):

No certificates required
Uses Protected Access Credentials (PAC)
Good security without PKI overhead
Cisco environments

How Does 802.1X Integrate with RADIUS?

RADIUS (Remote Authentication Dial-In User Service) is the backend authentication server.

RADIUS in 802.1X Architecture

Client (Supplicant)

←EAP→

Switch/WAP (Authenticator)

RADIUS

RADIUS Server (Auth Server)

←→

Directory (AD/LDAP)

Client authenticates via EAP • Switch forwards to RADIUS • RADIUS validates against directory

RADIUS Functions:

Function	Description
Authentication	Verify user credentials
Authorization	Determine access level
Accounting	Log access events

RADIUS Attributes for 802.1X:

•VLAN assignment based on user/group
•ACL application per user
•Reauthentication timer
•Session timeout

What Is MAC-Based Port Security?

MAC Address Filtering:

Switch Port Configuration:
- Allow only MAC: AA:BB:CC:DD:EE:FF
- Action on violation: Shutdown/Restrict/Protect

MAC Security Options:

Option	Behavior
Static	Manually configure allowed MACs
Dynamic	Learn MACs automatically
Sticky	Learn and save MACs

Violation Actions:

Action	Result
Protect	Drop unauthorized, no log
Restrict	Drop unauthorized, log
Shutdown	Disable port, log

MAC Security Limitations:

•MAC addresses can be spoofed
•Doesn't verify user identity
•Administrative overhead
•Not sufficient alone

What Is Network Access Control (NAC)?

NAC goes beyond authentication to check device compliance.

NAC Functions:

Function	Check
Authentication	Is this an authorized user?
Posture assessment	Is the device compliant?
Remediation	Fix non-compliant devices
Authorization	What access level granted?

Posture Checks Include:

•Antivirus installed and updated
•OS patches current
•Firewall enabled
•Encryption enabled
•Approved device type

NAC Deployment Modes:

Mode	Description
Pre-admission	Check before network access
Post-admission	Check after access, remediate
Inline	NAC in traffic path
Out-of-band	NAC monitors via SNMP/802.1X

Remediation Network:

•Non-compliant devices placed in quarantine VLAN with access only to remediation servers.

How CompTIA Tests This

Example Analysis

Scenario: A company wants to implement network access control that authenticates users, verifies device compliance, and places guests on a separate network. They have Active Directory and want to avoid managing client certificates.

Analysis - NAC Solution Design:

Requirements:

Requirement	Solution Component
User authentication	802.1X with PEAP
Device compliance	NAC posture assessment
Guest network	Separate VLAN
No client certs	PEAP (server cert only)

Why PEAP:

•EAP-TLS requires client certificates. PEAP uses server certificate + AD credentials—simpler to deploy.

802.1X + NAC Solution Architecture

Users/Devices

Switches with 802.1X

RADIUS Server

↔

Active Directory

NAC Server

Compliant → Corporate VLAN

Non-compliant → Remediation

Guest auth → Guest VLAN

Auth fail → Blocked

PEAP with NAC provides strong auth without PKI complexity

Authentication Flow:

1.Device connects to switch port
2.802.1X initiates PEAP authentication
3.RADIUS validates against AD
4.NAC checks device posture
5.RADIUS assigns VLAN based on results

VLAN Assignments:

Result	VLAN	Access
Auth + Compliant	Corporate	Full
Auth + Non-compliant	Remediation	Limited
Guest auth	Guest	Internet only
Auth failure	None	Blocked

Implementation:

•PEAP with MS-CHAPv2 (AD integration)
•RADIUS server (Windows NPS or similar)
•NAC agent on corporate devices
•Posture checks: AV, patches, firewall
•Remediation server for updates

Key insight: PEAP with NAC provides strong authentication without PKI complexity. Posture assessment ensures only healthy devices get full access. Multiple VLANs provide appropriate access levels.

Key Terms

port security802.1XEAPnetwork access controlNACRADIUSMAC filteringswitch port security

Common Mistakes

Relying only on MAC filtering—MAC addresses are easily spoofed. Use 802.1X for real authentication.

Confusing 802.1X components—supplicant is the client, authenticator is the switch/AP, authentication server is RADIUS.

EAP-MD5 in production—EAP-MD5 provides no encryption and is vulnerable. Use EAP-TLS, PEAP, or EAP-FAST.

No remediation for NAC—blocking non-compliant devices without helping them become compliant causes support issues.

Exam Tips

802.1X = port-based network access control. Three components: Supplicant (client), Authenticator (switch/WAP), Authentication Server (RADIUS).

EAP-TLS = certificates on BOTH sides = most secure but most complex. PEAP = server cert only + username/password.

PEAP is most common in enterprise because it integrates with Active Directory without requiring client certificates.

NAC posture assessment checks: antivirus, patches, firewall, encryption, approved OS/device type.

MAC filtering is weak security (spoofable)—use for inventory tracking but not as primary security control.

Remediation VLAN = where non-compliant devices go to get updates/patches before gaining full access.

Memory Trick

802.1X Components - "SAA" like Security Access Approval:

•Supplicant = Seeking access (the client)
•Authenticator = Access point/switch (gatekeeper)
•Authentication server = Approves access (RADIUS)

EAP Type Security: "TLS = Top Level Security" (requires certs on both sides) "PEAP = Protected but Easier" (server cert + password)

Authentication Flow Memory: "Client ASKS switch, switch ASKS RADIUS, RADIUS says YES or NO"

•NAC Posture Checks - "PAFE":
•Patches current?
•Antivirus running?
•Firewall enabled?
•Encryption on?

VLAN Assignment: ``` Compliant → Corporate 🏢 Non-compliant → Remediation 🏥 Guest → Guest 🏨 Failure → Nothing 🚫 ```

MAC Filtering Warning: "MACs are like name tags—easy to fake" Don't trust MAC filtering alone for security.

Test Your Knowledge

Q1.In an 802.1X implementation, what component validates user credentials against Active Directory?

Q2.Which EAP type provides the HIGHEST security by requiring certificates on both client and server?

Q3.A company's NAC solution detects a laptop with outdated antivirus. What should happen to this device?

Want more practice with instant AI feedback?

Continue Learning

Network Appliance Types Wireless Security Standards

Ready for the Exam?

See exactly where you stand on this concept and 182 others.

99% pass rate · Pass guarantee

Network Appliance Types Firewall Types