N4N056: A Wireless NAC Walkthrough
This episode of 'N is for Networking' features network security architect JJ Jabush walking through wireless Network Access Control (NAC) in detail, including 802.1X authentication, WPA2/WPA3 differences, certificate handling, wireless roaming with 802.11r Fast BSS Transition, and captive portals. The conversation builds on two prior episodes covering NAC basics and wired NAC. JJ also discusses how NAC fits into broader Zero Trust strategies in 2026.
Summary
This episode is the third in a series on Network Access Control, with guest JJ Jabush, a network security architect, explaining wireless NAC in transactional detail. The hosts Ethan Banks and Holly Poddelak guide the conversation, which assumes listeners have already heard the prior two episodes on NAC basics and wired NAC.
JJ begins by distinguishing NAC as a broad category of identity, authentication, and authorization mechanisms from 802.1X specifically, which is just a port security protocol. She notes that while wired 802.1X implementations tend to be messy and inconsistent due to vendor deviations from the standard, wireless 802.1X is far more standardized and reliable, making it the preferred first approach for wireless NAC.
The discussion covers WPA2 and WPA3, explaining that Wi-Fi Protected Access standards handle encryption of wireless frames but are not inherently tied to NAC or 802.1X. JJ highlights that WPA3 significantly reduces the ability for users to bypass server certificate validation during 802.1X authentication, which is a major security improvement. In the 192-bit mode used by the federal government, certificate bypass is entirely disabled.
A substantial portion of the episode is devoted to digital certificates in 802.1X. JJ explains that the RADIUS server always presents a certificate to prove its identity, but that endpoints must be configured to validate that certificate — a step frequently skipped or misconfigured, especially in environments with BYOD or non-domain-joined devices. Common failure modes include certificate renewals breaking endpoint trust configurations and overly specific certificate pinning in group policy or MDM profiles.
The hosts walk through the step-by-step wireless association process using 802.1X: the client connects to an SSID configured for 802.1X, EAPoL exchanges occur between the endpoint and the access point (acting as authenticator), the AP proxies authentication to the RADIUS server, and keying material generated from the EAP exchange feeds into the four-way handshake that completes wireless association. JJ notes that the RADIUS client in wireless environments could be the AP, a controller, or a gateway depending on the vendor architecture.
Roaming is discussed in depth. JJ strongly advocates against layer 3 roaming due to its unnecessary complexity, arguing that modern enterprise wireless infrastructure handles broadcast domain concerns well enough that per-floor VLANs are no longer needed. For layer 2 roaming, 802.11r (Fast BSS Transition) is described as essential for 802.1X networks, as it allows the infrastructure to pre-distribute keying material to neighboring APs so clients can roam without repeating the full RADIUS authentication cycle, avoiding disruption to latency-sensitive applications.
Captive portals are discussed as notoriously unreliable, with failures stemming from operating system differences in how Apple, Android, and Windows detect and respond to portal environments, DNS/DHCP redirect mechanisms, MDM settings, VPNs, and even JavaScript on the portal page itself. JJ notes that each OS vendor uses different probe mechanisms to detect captive portals and that the interaction between those mechanisms and the portal hosting infrastructure is highly variable.
On vendor selection for NAC, JJ warns against the assumption that same-vendor ecosystems (e.g., Cisco switching with Cisco ISE, or Aruba with ClearPass) automatically yield the best results, noting that large vendors often have siloed business units with poor internal integration. She recommends requirements-first selection rather than brand loyalty.
Finally, JJ addresses where NAC sits in 2026, arguing that while some peers consider NAC obsolete, it remains a critical component of Zero Trust strategies — particularly for the 30-70% of headless IoT devices on networks that cannot run software agents and must be controlled at the network layer. She expresses hope that within four years, identity-based enforcement with ubiquitous PKI/certificates will replace current NAC approaches, citing the Matter protocol for consumer IoT as proof that certificate-based identity for devices is achievable.
Key Insights
- JJ argues that 802.1X on wireless networks is far more standardized and reliable than on wired networks because Wi-Fi vendors adhere more closely to the standard, making wireless the preferred domain for 802.1X-based NAC.
- JJ claims that WPA3 significantly restricts a user's ability to bypass RADIUS server certificate validation during 802.1X authentication, and that in 192-bit mode, server certificate bypass is entirely impossible.
- JJ asserts that the RADIUS server always authenticates itself to the endpoint via a certificate in 802.1X, but that this validation is frequently skipped in real deployments — often due to failure to push the server certificate to endpoints via MDM or group policy.
- JJ identifies certificate lifecycle management as a primary failure point in 802.1X deployments, noting that renewing a server certificate without updating the trusted certificate reference on endpoints can lock all users off the network.
- JJ argues strongly against layer 3 wireless roaming, stating that modern enterprise Wi-Fi infrastructure handles broadcast domain management well enough that per-floor VLANs are unnecessary and the added complexity of layer 3 roaming is avoidable.
- JJ explains that 802.11r (Fast BSS Transition) is essential for 802.1X wireless networks because without it, every AP-to-AP roam triggers a full RADIUS re-authentication cycle, causing noticeable disruption to latency-sensitive applications like voice, streaming, and EHR platforms.
- JJ claims that captive portal reliability is fundamentally limited by the fact that each operating system vendor (Apple, Google, Microsoft, Samsung) uses different probe mechanisms to detect captive portals, making consistent behavior across all endpoints nearly impossible to engineer.
- JJ contends that selecting a NAC product based on brand alignment with the wireless infrastructure vendor (e.g., Cisco ISE with Cisco gear) is a common reason NAC projects fail, and that requirements-first product selection is more likely to succeed.
- JJ estimates that 30 to 70 percent of devices on enterprise networks are headless IoT devices that most organizations do not fully account for, and that these devices cannot participate in agent-based Zero Trust enforcement — making network-layer NAC controls still necessary.
- JJ argues that traditional NAC remains a critical component of Zero Trust strategies in 2026 specifically because of the large volume of headless devices that cannot run software agents and must be controlled at layer 2 or layer 3 by the network infrastructure.
- JJ points to the Matter protocol from the Connectivity Standards Alliance as evidence that full PKI and certificate-based identity for IoT devices is technically achievable, and uses it to argue that the industry should demand similar standards from enterprise IoT vendors.
- JJ explains that in wireless 802.1X, the keying material generated during the EAP/RADIUS exchange — not a passphrase — feeds into the four-way handshake that completes wireless association, which is why roaming protocols like 802.11r must distribute this keying material to neighboring APs ahead of time.
Topics
Full transcript available for MurmurCast members
Sign Up to Access