Como Configurar a Autenticação 802.1X WiFi: Um Guia Passo a Passo

Este guia técnico oferece um passo a passo para configurar a autenticação 802.1X WiFi empresarial. Ele aborda a configuração do servidor RADIUS, a implantação de certificados e estratégias práticas de implantação para líderes de TI em locais de grande fluxo.

📖 5 GuidesSlugPage.minRead📝 1,126 GuidesSlugPage.words🔧 2 GuidesSlugPage.workedExamples❓ 3 GuidesSlugPage.practiceQuestions📚 8 GuidesSlugPage.keyDefinitions

GuidesSlugPage.podcastTitle

GuidesSlugPage.podcastTranscript

How to Configure 802.1X WiFi Authentication: A Step-by-Step Guide
A Purple Enterprise WiFi Intelligence Podcast

[INTRODUCTION — approximately 1 minute]

Welcome back. I'm speaking today as a senior solutions architect, and if you're listening to this, you're probably staring down a network security project that involves 802.1X authentication — either because your compliance team has flagged it, your insurer has asked about it, or you've just inherited a network that's running on a shared PSK and you know that's not good enough anymore.

So let's get straight into it. 802.1X is the IEEE standard for port-based network access control. It's the backbone of enterprise WiFi security — the mechanism that ensures every device connecting to your network has been positively identified and authorised before it gets a single byte of traffic through. This isn't optional for organisations handling payment card data under PCI DSS, it's not optional for healthcare environments under GDPR and NHS data security standards, and frankly, for any organisation running more than a handful of access points, it's the right architecture.

Over the next ten minutes, I'm going to walk you through the technical architecture, the RADIUS configuration, certificate deployment, and the real-world scenarios where this gets complicated. Let's go.

[TECHNICAL DEEP-DIVE — approximately 5 minutes]

Right, so the 802.1X framework has three components. You've got the Supplicant — that's the client device, the laptop, the phone, the IoT sensor. You've got the Authenticator — that's your access point or your network switch, sometimes called the NAS, the Network Access Server. And you've got the Authentication Server — almost universally a RADIUS server in enterprise deployments.

Here's how the handshake works. When a device tries to connect to an 802.1X-protected SSID, the access point doesn't just let it on. Instead, it opens what's called a controlled port — a limited channel that only passes EAP traffic, the Extensible Authentication Protocol. The AP sends an EAP-Request Identity to the device. The device responds with its identity. The AP then forwards that to the RADIUS server, wrapped in a RADIUS Access-Request packet. The RADIUS server runs the authentication — checking credentials against Active Directory, a certificate store, or whatever identity backend you've configured — and sends back either an Access-Accept or an Access-Reject. Only on an Accept does the AP open the full data port and assign the device to the appropriate VLAN.

Now, the EAP method you choose here matters enormously. There are five you'll encounter in enterprise deployments.

EAP-TLS is the gold standard. Both the client and the server present X.509 certificates. There are no passwords involved. It's the most secure option and the one required for the highest PCI DSS compliance tiers. The catch is that you need a full PKI — a Public Key Infrastructure — to issue and manage client certificates. That means a Certificate Authority, certificate lifecycle management, and a mechanism to push certificates to every device. For organisations with Microsoft Active Directory and Active Directory Certificate Services, this is very achievable. For organisations without that infrastructure, it's a significant investment.

PEAP-MSCHAPv2 is the most widely deployed method in practice. It creates a TLS tunnel using only a server-side certificate, then passes username and password credentials inside that tunnel. It's compatible with virtually every device out of the box, integrates directly with Active Directory via NPS on Windows Server, and doesn't require client certificates. The trade-off is that it's vulnerable to credential harvesting attacks if users are tricked into connecting to a rogue AP — because the client doesn't validate the server certificate by default. You must enforce server certificate validation in your supplicant profiles.

EAP-TTLS is similar to PEAP but more flexible in the inner authentication method. It's common in Linux environments and where you need to support legacy authentication backends.

EAP-FAST was developed by Cisco as a response to LEAP's weaknesses. It uses Protected Access Credentials rather than certificates. It's primarily relevant if you're in a Cisco-heavy environment or dealing with legacy devices that can't support the others.

EAP-SIM and EAP-AKA are used in carrier-grade deployments — think OpenRoaming or Passpoint — where authentication is tied to a SIM card or USIM. These are increasingly relevant for public venue WiFi where you want seamless, secure onboarding without a captive portal.

Now let's talk RADIUS configuration. Whether you're deploying Microsoft NPS, FreeRADIUS, Cisco ISE, or Aruba ClearPass, the core configuration steps are the same.

First, you define your RADIUS clients — these are your access points or wireless LAN controllers. Each client is registered with its IP address and a shared secret. That shared secret is used to authenticate the RADIUS messages between the AP and the server. Use a minimum of 22 characters, randomly generated, and unique per NAS device.

Second, you configure your network policy. This is where you define who gets access to what. In NPS terms, you're creating a Network Policy that matches conditions — group membership in Active Directory, device type, time of day — and assigns attributes — VLAN ID, session timeout, bandwidth limits. The RADIUS attribute you'll use most is VLAN assignment, specifically Tunnel-Type set to VLAN, Tunnel-Medium-Type set to 802, and Tunnel-Private-Group-ID set to your VLAN number.

Third, you configure your connection request policy. This tells NPS how to handle incoming RADIUS requests — whether to authenticate locally or forward to another RADIUS server. In a distributed deployment, you might have a central RADIUS server with NPS proxies at each site.

On the certificate side, for PEAP and EAP-TLS, your RADIUS server needs a server certificate trusted by your clients. The simplest path is to use a certificate from a public CA — DigiCert, Sectigo, Let's Encrypt — because those root certificates are already trusted by all major operating systems. If you're using an internal CA, you need to push the root certificate to all client devices via Group Policy or your MDM platform.

For EAP-TLS specifically, you also need client certificates. In an Active Directory environment, you'd use ADCS with auto-enrolment via Group Policy to push certificates to domain-joined devices. For BYOD devices, you'd use your MDM — Intune, Jamf, VMware Workspace ONE — to push both the certificate and the WiFi profile.

On the access point side, the configuration is straightforward. You create a new SSID, set security to WPA2-Enterprise or WPA3-Enterprise, point the RADIUS authentication server to your NPS IP on UDP port 1812, set the RADIUS accounting server on UDP port 1813, enter the shared secret, and enable dynamic VLAN assignment if you're using it. Most enterprise AP platforms — Cisco Meraki, Aruba, Ruckus, Extreme — have a GUI for this that takes about ten minutes once your RADIUS server is ready.

[IMPLEMENTATION RECOMMENDATIONS AND PITFALLS — approximately 2 minutes]

Right, let's talk about where deployments go wrong, because this is where I earn my consultancy fees.

The most common failure point is certificate validation. I've seen organisations deploy PEAP-MSCHAPv2 correctly on the server side, then leave client supplicant profiles configured to accept any certificate. That completely undermines the security model. Every supplicant profile — whether pushed via Group Policy or MDM — must specify the trusted root CA and the expected server name. Without that, you're vulnerable to evil twin attacks.

The second common issue is RADIUS shared secret management. I've seen production networks running with the shared secret set to "radius" or the vendor default. These secrets are the keys to your authentication infrastructure. Generate them randomly, store them in a secrets manager, and rotate them on a schedule.

Third: VLAN misconfiguration. Dynamic VLAN assignment is powerful — it lets you put staff devices on the corporate VLAN, contractors on a restricted VLAN, and IoT devices on an isolated VLAN, all from the same SSID. But if the RADIUS attributes aren't configured correctly, or the switch trunk ports aren't carrying the right VLANs, devices will either fail to connect or land on the wrong segment. Test this thoroughly in a lab before rolling out to production.

Fourth: redundancy. Your RADIUS server is now a critical piece of infrastructure. If it goes down, nobody connects. You need at minimum a primary and secondary RADIUS server configured on every AP. In large deployments, consider RADIUS proxy clusters with health monitoring.

Fifth, and this is specific to hospitality and retail environments: guest versus corporate separation. Your 802.1X corporate SSID and your guest WiFi SSID should be completely separate — different VLANs, different firewall policies, different DNS. A platform like Purple handles the guest side with its own captive portal and analytics layer, while your 802.1X infrastructure handles the corporate side. These are complementary, not competing, systems.

[RAPID-FIRE Q&A — approximately 1 minute]

Let me run through the questions I get most often.

Can I run 802.1X on a cloud-managed AP platform? Yes — Meraki, Aruba Central, and Ruckus Cloud all support it. You configure the RADIUS server details in the cloud dashboard, and the APs handle the EAP proxying.

Do I need Active Directory? No. FreeRADIUS can authenticate against LDAP, SQL databases, flat files, or even REST APIs. But AD integration via NPS is by far the most common enterprise path.

What about IoT devices that don't support 802.1X? Use MAC Authentication Bypass — MAB — as a fallback. The device's MAC address is sent to RADIUS as the username and password. It's not as secure as EAP, but it lets you onboard IoT devices while keeping them in a restricted VLAN.

Does 802.1X work with WPA3? Yes. WPA3-Enterprise is essentially WPA3 with 802.1X authentication. It adds stronger encryption — 192-bit in the high-security mode — and is the recommended standard for new deployments.

[SUMMARY AND NEXT STEPS — approximately 1 minute]

So to bring this together: 802.1X is not a nice-to-have. For any organisation handling sensitive data, processing payments, or operating in a regulated environment, it's the baseline for enterprise WiFi security. The architecture is well-established, the tooling is mature, and the deployment path is clear.

Start with your EAP method selection — PEAP-MSCHAPv2 if you need quick wins and broad compatibility, EAP-TLS if you have the PKI infrastructure and need the strongest security posture. Get your RADIUS server configured and redundant before you touch a single AP. Push your supplicant profiles via Group Policy or MDM before you go live. And keep your guest WiFi completely separate — use a purpose-built platform for that layer.

If you're operating a multi-venue environment — hotels, retail chains, stadiums — the complexity scales with the number of sites, but the architecture doesn't change. The key is centralised RADIUS with site-local redundancy, and a consistent MDM-pushed supplicant profile across your device fleet.

Thanks for listening. The full written guide, architecture diagrams, and configuration checklists are available at purple.ai. If you're planning an 802.1X deployment and want to talk through the specifics of your environment, reach out to the Purple team directly.

GuidesSlugPage.keyTakeawaysTitle

✓802.1X replaces vulnerable shared passwords with identity-based access control, essential for enterprise security and compliance.
✓The architecture relies on three components: the Supplicant (client), the Authenticator (AP), and the Authentication Server (RADIUS).
✓EAP-TLS offers the highest security via mutual certificate authentication, while PEAP-MSCHAPv2 is the most widely deployed due to broader compatibility.
✓Client devices must be provisioned via MDM or GPO to strictly validate the RADIUS server certificate to prevent credential harvesting attacks.
✓RADIUS Shared Secrets must be complex, unique per AP, and rotated regularly.
✓Dynamic VLAN assignment via RADIUS allows IT to segment traffic (e.g., staff vs. IoT) using a single corporate SSID.
✓Corporate 802.1X networks must be kept logically separated from Guest WiFi networks, which should utilise dedicated captive portal platforms.

Resumo Executivo

Para redes corporativas, PSKs (Pre-Shared Keys) compartilhadas não são mais suficientes para proteger a infraestrutura corporativa. À medida que as organizações enfrentam mandatos de conformidade mais rigorosos (PCI DSS, GDPR) e uma superfície de ataque em expansão, a transição para a autenticação 802.1X é um imperativo de segurança crítico.

Este guia oferece um passo a passo prático e independente de fornecedor para configurar o 802.1X em pontos de acesso empresariais. Abordamos a arquitetura central — Suplicante, Autenticador e Servidor de Autenticação — juntamente com o gerenciamento de certificados, configuração RADIUS e armadilhas comuns de implantação. Para gerentes de TI e arquitetos de rede que operam em ambientes de varejo, hospitalidade ou setor público, esta referência fornece os passos acionáveis necessários para implementar um controle de acesso à rede robusto e baseado em identidade, mantendo o tráfego corporativo e de convidados estritamente separado.

Ouça nosso podcast complementar abaixo para uma visão geral de 10 minutos da arquitetura e estratégias de implementação.

Análise Técnica Detalhada: A Arquitetura 802.1X

O padrão IEEE 802.1X define o controle de acesso à rede baseado em porta. Em um contexto sem fio, ele impede que um dispositivo cliente envie ou receba tráfego de dados até que tenha se autenticado com sucesso em um diretório central.

Os Três Componentes Principais

O Suplicante (Dispositivo Cliente): O software no laptop, smartphone ou dispositivo IoT que solicita acesso. Ele deve suportar o método EAP (Extensible Authentication Protocol) escolhido.
O Autenticador (Ponto de Acesso / WLC): O dispositivo de rede que atua como o porteiro. Ele abre uma "porta controlada" que permite apenas o tráfego EAP até que a autenticação seja bem-sucedida.
O Servidor de Autenticação (RADIUS): O servidor central (por exemplo, Microsoft NPS, FreeRADIUS, Cisco ISE) que valida as credenciais em relação a um armazenamento de identidade (como o Active Directory) e retorna uma mensagem de Access-Accept ou Access-Reject.

Métodos EAP: Escolhendo a Postura de Segurança Correta

A escolha do método EAP dita seu nível de segurança e complexidade de implantação.

EAP-TLS (Transport Layer Security): O padrão ouro. Requer certificados de servidor e cliente. Nenhuma senha é transmitida. Essencial para ambientes de alta segurança, mas requer uma Infraestrutura de Chave Pública (PKI) completa.
PEAP-MSCHAPv2 (Protected EAP): A implantação empresarial mais comum. Usa um certificado do lado do servidor para criar um túnel TLS seguro, dentro do qual o cliente envia um nome de usuário e senha. Mais fácil de implantar, mas vulnerável à coleta de credenciais se os dispositivos cliente não forem configurados para validar estritamente o certificado do servidor.
EAP-SIM/AKA: Utiliza credenciais de cartão SIM para autenticação. Cada vez mais relevante para o onboarding contínuo em hubs de Transporte e grandes locais públicos.

Guia de Implementação: Configuração Passo a Passo

A implantação do 802.1X requer configuração coordenada entre seu servidor RADIUS, seus pontos de acesso e seus dispositivos cliente.

Passo 1: Preparação do Servidor RADIUS

Seja você usando o Microsoft Network Policy Server (NPS) ou uma alternativa, os princípios centrais permanecem idênticos.

Definir Clientes RADIUS: Registre cada Ponto de Acesso (ou Controlador de LAN Sem Fio) em seu servidor RADIUS. Atribua um Segredo Compartilhado forte e gerado aleatoriamente (mínimo de 22 caracteres) para proteger as comunicações entre o AP e o servidor RADIUS.
Instalar o Certificado do Servidor: Para PEAP ou EAP-TLS, instale um certificado X.509 no servidor RADIUS. Usar um certificado de uma Autoridade Certificadora (CA) pública confiável simplifica a implantação para ambientes BYOD, pois o certificado raiz já é confiável pelos sistemas operacionais cliente.

Passo 2: Configuração de Políticas

Configure suas políticas de rede para ditar direitos de acesso com base na identidade.

Políticas de Solicitação de Conexão: Defina como o servidor RADIUS lida com as solicitações recebidas. Tipicamente, isso envolve a correspondência do NAS-Port-Type (Wireless - IEEE 802.11) e a autenticação de solicitações localmente.
Políticas de Rede: Mapeie grupos do Active Directory para direitos de acesso à rede. Por exemplo, mapeie o grupo 'Domain Computers' para a VLAN corporativa. Use atributos RADIUS (Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=[VLAN_ID]) para atribuir VLANs dinamicamente após a autenticação bem-sucedida.

Passo 3: Configuração do Ponto de Acesso

Configure o SSID em sua infraestrutura sem fio (por exemplo, Meraki, Aruba, Cisco).

Crie um novo SSID e selecione WPA2-Enterprise ou WPA3-Enterprise.
Insira o endereço IP de seus servidores RADIUS primário e secundário.
Insira o Segredo Compartilhado definido no Passo 1.
Habilite a Atribuição Dinâmica de VLAN se seu servidor RADIUS estiver enviando atributos de VLAN.

Passo 4: Provisionamento do Suplicante Cliente

Este é o passo mais crítico e frequentemente negligenciado. Não dependa dos usuários para configurar manualmente seus dispositivos.

Dispositivos Corporativos: Use Objetos de Política de Grupo (GPO) ou sua plataforma de Gerenciamento de Dispositivos Móveis (MDM) para enviar o perfil WiFi. O perfil deve especificar a CA Raiz confiável e o nome exato do servidor RADIUS para prevenir ataques Evil Twin.
BYOD: Implemente um portal de onboarding ou solução MDM para enviar perfis seguros aos funcionários-dispositivos próprios.

Melhores Práticas e Padrões da Indústria

Para garantir uma implementação robusta, siga as seguintes melhores práticas arquitetônicas:

Validação Rigorosa de Certificados: Nunca permita que os clientes aceitem cegamente qualquer certificado de servidor. Este é o principal vetor para a coleta de credenciais PEAP.
Isolar o Tráfego de Convidados: Sua infraestrutura 802.1X é para acesso corporativo. O tráfego de convidados deve permanecer completamente segregado. Implemente uma plataforma dedicada de Guest WiFi com seu próprio captive portal e camada de análise. Conforme discutido em nosso guia sobre Proteja Sua Rede com DNS e Segurança Fortes , a separação lógica é fundamental para a defesa da rede.
Implementar Redundância: RADIUS é um serviço de caminho crítico. Implante servidores RADIUS primários e secundários. Em ambientes distribuídos, como grandes redes de Varejo , considere proxies RADIUS locais para garantir a sobrevivência se o link WAN cair.

Solução de Problemas e Mitigação de Riscos

Quando as implementações falham, geralmente se resume a alguns erros comuns de configuração:

Erros de Tempo Limite do RADIUS: Frequentemente causados por um Segredo Compartilhado (Shared Secret) incompatível entre o AP e o servidor RADIUS, ou por regras de firewall bloqueando as portas UDP 1812 (Autenticação) e 1813 (Contabilidade).
Rejeição de Cliente: Verifique os logs de eventos do RADIUS (por exemplo, Visualizador de Eventos do Windows -> Exibições Personalizadas -> Funções de Servidor -> Serviços de Política de Rede e Acesso). Procure pelo ID de Evento 6273. As causas comuns incluem certificados de cliente expirados ou o cliente falhando em confiar na cadeia de certificados do servidor.
Falhas na Atribuição de VLAN: Se a autenticação for bem-sucedida, mas o cliente não obtiver um endereço IP, verifique se a porta do switch conectada ao AP está configurada como uma porta trunk permitindo a VLAN atribuída dinamicamente.

ROI e Impacto nos Negócios

A implementação do 802.1X gera um ROI operacional e de segurança significativo:

Mitigação de Riscos: Elimina o risco de uma única PSK comprometida violar toda a rede corporativa, apoiando diretamente os esforços de conformidade com PCI DSS e GDPR.
Eficiência Operacional: Centraliza o controle de acesso. Quando um funcionário sai, desabilitar sua conta do Active Directory revoga imediatamente seu acesso WiFi. Não há necessidade de rotacionar PSKs em toda a empresa.
Visibilidade da Rede: Fornece visibilidade granular sobre exatamente quem está na rede e qual dispositivo está usando, permitindo um melhor planejamento de capacidade e caça a ameaças.

Para ambientes complexos e de alta densidade, como estádios ou locais de Hotelaria , gerenciar a segurança corporativa juntamente com o acesso de convidados é um desafio. Ao proteger ativos corporativos com 802.1X e aproveitar uma robusta plataforma de WiFi Analytics para o tráfego de visitantes, os líderes de TI podem oferecer conectividade segura e escalável que atende tanto à empresa quanto aos seus clientes. Para insights sobre como gerenciar ambientes de alta densidade, consulte nosso WiFi para Zoológicos e Parques Temáticos: Guia de Conectividade para Locais de Grande Fluxo .

GuidesSlugPage.keyDefinitionsTitle

802.1X

An IEEE standard for port-based network access control that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

The foundational protocol for enterprise WiFi security, replacing vulnerable shared passwords.

Supplicant

The client device or software application requesting access to the network.

IT teams must manage supplicant configuration via MDM to ensure secure connections.

Authenticator

The network device (Access Point or Switch) that facilitates the authentication process by acting as a proxy between the Supplicant and the Authentication Server.

Configured with the RADIUS server IP and a shared secret to securely forward EAP traffic.

RADIUS

Remote Authentication Dial-In User Service; a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management.

The backend server (like Microsoft NPS) that actually validates the user's credentials against a directory.

EAP (Extensible Authentication Protocol)

An authentication framework frequently used in wireless networks and point-to-point connections, supporting multiple authentication methods.

The 'language' spoken between the Supplicant and the RADIUS server.

EAP-TLS

An EAP method that uses Transport Layer Security, requiring both server and client-side certificates for mutual authentication.

The most secure method available, often mandated for high-security or classified environments.

PEAP

Protected Extensible Authentication Protocol; encapsulates EAP within an encrypted and authenticated TLS tunnel.

The most widely deployed enterprise method, balancing security with ease of deployment by only requiring a server-side certificate.

Dynamic VLAN Assignment

The process where a RADIUS server instructs the Access Point to place an authenticated user onto a specific VLAN based on their directory group membership.

Crucial for segmenting network traffic (e.g., separating HR, Engineering, and IoT devices) while broadcasting only a single corporate SSID.

GuidesSlugPage.workedExamplesTitle

A 300-room luxury hotel needs to secure its back-of-house operational network (staff tablets, VoIP phones, management laptops) while keeping it entirely separate from the guest network. They currently use a single PSK for staff.

Deploy Microsoft NPS linked to the hotel's existing Active Directory.
Configure PEAP-MSCHAPv2, using a public certificate (e.g., DigiCert) on the NPS server to simplify tablet onboarding.
Create an 802.1X SSID ('Hotel_Ops') on the APs.
Use the hotel's MDM platform to push the 'Hotel_Ops' WiFi profile to all staff tablets and laptops, explicitly configuring the profile to trust the DigiCert root CA and validate the NPS server name.
Maintain the existing open guest SSID, routing it through Purple's captive portal for terms acceptance and analytics, ensuring guest VLANs cannot route to the operational VLANs.

GuidesSlugPage.examinerCommentary This approach balances security with deployment complexity. By using a public certificate on the RADIUS server, the hotel avoids the overhead of deploying a full PKI while still eliminating the shared PSK risk. The strict separation of guest and corporate traffic via VLANs and distinct authentication mechanisms aligns with PCI DSS requirements for the hotel's point-of-sale systems.

A university campus is migrating to 802.1X and needs to support a massive BYOD environment for 15,000 students across various operating systems.

Deploy a robust RADIUS cluster (e.g., FreeRADIUS or Cisco ISE) with load balancing.
Implement PEAP-MSCHAPv2 for broad device compatibility.
Deploy an onboarding portal (e.g., SecureW2) that automatically configures the student's device supplicant to use the correct EAP settings and trust the university's RADIUS server certificate.
Use dynamic VLAN assignment via RADIUS attributes to place students into appropriate subnets based on their campus location to manage broadcast domains.

GuidesSlugPage.examinerCommentary In higher education, BYOD is the primary challenge. Relying on manual configuration by students guarantees high helpdesk ticket volume and insecure configurations (users accepting invalid certificates). The onboarding portal is the critical success factor here, ensuring the supplicant is locked down to prevent credential harvesting.

GuidesSlugPage.practiceQuestionsTitle

Q1. Your organisation is deploying 802.1X using PEAP-MSCHAPv2. During testing, users report they are prompted to 'Accept a Certificate' when connecting for the first time. How should you address this?

GuidesSlugPage.hintPrefixConsider the security implications of allowing users to make trust decisions regarding network infrastructure.

GuidesSlugPage.viewModelAnswer

You must configure the client supplicant profiles (via MDM or Group Policy) to explicitly trust the Root CA that issued the RADIUS server's certificate, and to validate the specific server name. Relying on users to manually accept certificates trains them to ignore security warnings and leaves the network vulnerable to Evil Twin (credential harvesting) attacks.

Q2. You need to secure a fleet of warehouse barcode scanners. They support WPA2-Enterprise but do not have a mechanism to install client certificates or join Active Directory. What is the most secure deployment approach?

GuidesSlugPage.hintPrefixEvaluate the EAP methods that do not require client-side certificates but still provide encrypted authentication.

GuidesSlugPage.viewModelAnswer

Deploy PEAP-MSCHAPv2. Create a dedicated service account in your directory for the scanners. Configure the RADIUS server with a server certificate to establish the TLS tunnel, and configure the scanners to authenticate using the service account credentials inside the tunnel. Ensure the RADIUS policy restricts this service account to a specific, isolated warehouse VLAN.

Q3. After configuring the APs and the RADIUS server, client devices successfully authenticate (verified in RADIUS logs with an Access-Accept), but they fail to receive an IP address and cannot access the network. What is the most likely infrastructure issue?

GuidesSlugPage.hintPrefixAuthentication has succeeded, meaning the 802.1X phase is complete. The issue lies in the subsequent network provisioning phase.

GuidesSlugPage.viewModelAnswer

The most likely issue is a VLAN misconfiguration on the wired network. If the RADIUS server is using dynamic VLAN assignment to place the client on a specific VLAN (e.g., VLAN 20), the switch port connecting the Access Point must be configured as an 802.1Q trunk port that allows VLAN 20. If the VLAN is not trunked to the AP, the client's DHCP requests will be dropped.