Como Configurar a Autenticação 802.1X WiFi: Um Guia Passo a Passo

Este guia técnico fornece um passo a passo para configurar a autenticação 802.1X WiFi empresarial. Abrange a configuração do servidor RADIUS, a implementação de certificados e estratégias de implementação práticas para líderes de TI em locais com grande afluência.

📖 5 GuidesSlugPage.minRead📝 1,126 GuidesSlugPage.words🔧 2 GuidesSlugPage.workedExamples❓ 3 GuidesSlugPage.practiceQuestions📚 8 GuidesSlugPage.keyDefinitions

GuidesSlugPage.podcastTitle

GuidesSlugPage.podcastTranscript

How to Configure 802.1X WiFi Authentication: A Step-by-Step Guide
A Purple Enterprise WiFi Intelligence Podcast

[INTRODUCTION — approximately 1 minute]

Welcome back. I'm speaking today as a senior solutions architect, and if you're listening to this, you're probably staring down a network security project that involves 802.1X authentication — either because your compliance team has flagged it, your insurer has asked about it, or you've just inherited a network that's running on a shared PSK and you know that's not good enough anymore.

So let's get straight into it. 802.1X is the IEEE standard for port-based network access control. It's the backbone of enterprise WiFi security — the mechanism that ensures every device connecting to your network has been positively identified and authorised before it gets a single byte of traffic through. This isn't optional for organisations handling payment card data under PCI DSS, it's not optional for healthcare environments under GDPR and NHS data security standards, and frankly, for any organisation running more than a handful of access points, it's the right architecture.

Over the next ten minutes, I'm going to walk you through the technical architecture, the RADIUS configuration, certificate deployment, and the real-world scenarios where this gets complicated. Let's go.

[TECHNICAL DEEP-DIVE — approximately 5 minutes]

Right, so the 802.1X framework has three components. You've got the Supplicant — that's the client device, the laptop, the phone, the IoT sensor. You've got the Authenticator — that's your access point or your network switch, sometimes called the NAS, the Network Access Server. And you've got the Authentication Server — almost universally a RADIUS server in enterprise deployments.

Here's how the handshake works. When a device tries to connect to an 802.1X-protected SSID, the access point doesn't just let it on. Instead, it opens what's called a controlled port — a limited channel that only passes EAP traffic, the Extensible Authentication Protocol. The AP sends an EAP-Request Identity to the device. The device responds with its identity. The AP then forwards that to the RADIUS server, wrapped in a RADIUS Access-Request packet. The RADIUS server runs the authentication — checking credentials against Active Directory, a certificate store, or whatever identity backend you've configured — and sends back either an Access-Accept or an Access-Reject. Only on an Accept does the AP open the full data port and assign the device to the appropriate VLAN.

Now, the EAP method you choose here matters enormously. There are five you'll encounter in enterprise deployments.

EAP-TLS is the gold standard. Both the client and the server present X.509 certificates. There are no passwords involved. It's the most secure option and the one required for the highest PCI DSS compliance tiers. The catch is that you need a full PKI — a Public Key Infrastructure — to issue and manage client certificates. That means a Certificate Authority, certificate lifecycle management, and a mechanism to push certificates to every device. For organisations with Microsoft Active Directory and Active Directory Certificate Services, this is very achievable. For organisations without that infrastructure, it's a significant investment.

PEAP-MSCHAPv2 is the most widely deployed method in practice. It creates a TLS tunnel using only a server-side certificate, then passes username and password credentials inside that tunnel. It's compatible with virtually every device out of the box, integrates directly with Active Directory via NPS on Windows Server, and doesn't require client certificates. The trade-off is that it's vulnerable to credential harvesting attacks if users are tricked into connecting to a rogue AP — because the client doesn't validate the server certificate by default. You must enforce server certificate validation in your supplicant profiles.

EAP-TTLS is similar to PEAP but more flexible in the inner authentication method. It's common in Linux environments and where you need to support legacy authentication backends.

EAP-FAST was developed by Cisco as a response to LEAP's weaknesses. It uses Protected Access Credentials rather than certificates. It's primarily relevant if you're in a Cisco-heavy environment or dealing with legacy devices that can't support the others.

EAP-SIM and EAP-AKA are used in carrier-grade deployments — think OpenRoaming or Passpoint — where authentication is tied to a SIM card or USIM. These are increasingly relevant for public venue WiFi where you want seamless, secure onboarding without a captive portal.

Now let's talk RADIUS configuration. Whether you're deploying Microsoft NPS, FreeRADIUS, Cisco ISE, or Aruba ClearPass, the core configuration steps are the same.

First, you define your RADIUS clients — these are your access points or wireless LAN controllers. Each client is registered with its IP address and a shared secret. That shared secret is used to authenticate the RADIUS messages between the AP and the server. Use a minimum of 22 characters, randomly generated, and unique per NAS device.

Second, you configure your network policy. This is where you define who gets access to what. In NPS terms, you're creating a Network Policy that matches conditions — group membership in Active Directory, device type, time of day — and assigns attributes — VLAN ID, session timeout, bandwidth limits. The RADIUS attribute you'll use most is VLAN assignment, specifically Tunnel-Type set to VLAN, Tunnel-Medium-Type set to 802, and Tunnel-Private-Group-ID set to your VLAN number.

Third, you configure your connection request policy. This tells NPS how to handle incoming RADIUS requests — whether to authenticate locally or forward to another RADIUS server. In a distributed deployment, you might have a central RADIUS server with NPS proxies at each site.

On the certificate side, for PEAP and EAP-TLS, your RADIUS server needs a server certificate trusted by your clients. The simplest path is to use a certificate from a public CA — DigiCert, Sectigo, Let's Encrypt — because those root certificates are already trusted by all major operating systems. If you're using an internal CA, you need to push the root certificate to all client devices via Group Policy or your MDM platform.

For EAP-TLS specifically, you also need client certificates. In an Active Directory environment, you'd use ADCS with auto-enrolment via Group Policy to push certificates to domain-joined devices. For BYOD devices, you'd use your MDM — Intune, Jamf, VMware Workspace ONE — to push both the certificate and the WiFi profile.

On the access point side, the configuration is straightforward. You create a new SSID, set security to WPA2-Enterprise or WPA3-Enterprise, point the RADIUS authentication server to your NPS IP on UDP port 1812, set the RADIUS accounting server on UDP port 1813, enter the shared secret, and enable dynamic VLAN assignment if you're using it. Most enterprise AP platforms — Cisco Meraki, Aruba, Ruckus, Extreme — have a GUI for this that takes about ten minutes once your RADIUS server is ready.

[IMPLEMENTATION RECOMMENDATIONS AND PITFALLS — approximately 2 minutes]

Right, let's talk about where deployments go wrong, because this is where I earn my consultancy fees.

The most common failure point is certificate validation. I've seen organisations deploy PEAP-MSCHAPv2 correctly on the server side, then leave client supplicant profiles configured to accept any certificate. That completely undermines the security model. Every supplicant profile — whether pushed via Group Policy or MDM — must specify the trusted root CA and the expected server name. Without that, you're vulnerable to evil twin attacks.

The second common issue is RADIUS shared secret management. I've seen production networks running with the shared secret set to "radius" or the vendor default. These secrets are the keys to your authentication infrastructure. Generate them randomly, store them in a secrets manager, and rotate them on a schedule.

Third: VLAN misconfiguration. Dynamic VLAN assignment is powerful — it lets you put staff devices on the corporate VLAN, contractors on a restricted VLAN, and IoT devices on an isolated VLAN, all from the same SSID. But if the RADIUS attributes aren't configured correctly, or the switch trunk ports aren't carrying the right VLANs, devices will either fail to connect or land on the wrong segment. Test this thoroughly in a lab before rolling out to production.

Fourth: redundancy. Your RADIUS server is now a critical piece of infrastructure. If it goes down, nobody connects. You need at minimum a primary and secondary RADIUS server configured on every AP. In large deployments, consider RADIUS proxy clusters with health monitoring.

Fifth, and this is specific to hospitality and retail environments: guest versus corporate separation. Your 802.1X corporate SSID and your guest WiFi SSID should be completely separate — different VLANs, different firewall policies, different DNS. A platform like Purple handles the guest side with its own captive portal and analytics layer, while your 802.1X infrastructure handles the corporate side. These are complementary, not competing, systems.

[RAPID-FIRE Q&A — approximately 1 minute]

Let me run through the questions I get most often.

Can I run 802.1X on a cloud-managed AP platform? Yes — Meraki, Aruba Central, and Ruckus Cloud all support it. You configure the RADIUS server details in the cloud dashboard, and the APs handle the EAP proxying.

Do I need Active Directory? No. FreeRADIUS can authenticate against LDAP, SQL databases, flat files, or even REST APIs. But AD integration via NPS is by far the most common enterprise path.

What about IoT devices that don't support 802.1X? Use MAC Authentication Bypass — MAB — as a fallback. The device's MAC address is sent to RADIUS as the username and password. It's not as secure as EAP, but it lets you onboard IoT devices while keeping them in a restricted VLAN.

Does 802.1X work with WPA3? Yes. WPA3-Enterprise is essentially WPA3 with 802.1X authentication. It adds stronger encryption — 192-bit in the high-security mode — and is the recommended standard for new deployments.

[SUMMARY AND NEXT STEPS — approximately 1 minute]

So to bring this together: 802.1X is not a nice-to-have. For any organisation handling sensitive data, processing payments, or operating in a regulated environment, it's the baseline for enterprise WiFi security. The architecture is well-established, the tooling is mature, and the deployment path is clear.

Start with your EAP method selection — PEAP-MSCHAPv2 if you need quick wins and broad compatibility, EAP-TLS if you have the PKI infrastructure and need the strongest security posture. Get your RADIUS server configured and redundant before you touch a single AP. Push your supplicant profiles via Group Policy or MDM before you go live. And keep your guest WiFi completely separate — use a purpose-built platform for that layer.

If you're operating a multi-venue environment — hotels, retail chains, stadiums — the complexity scales with the number of sites, but the architecture doesn't change. The key is centralised RADIUS with site-local redundancy, and a consistent MDM-pushed supplicant profile across your device fleet.

Thanks for listening. The full written guide, architecture diagrams, and configuration checklists are available at purple.ai. If you're planning an 802.1X deployment and want to talk through the specifics of your environment, reach out to the Purple team directly.

GuidesSlugPage.keyTakeawaysTitle

✓802.1X replaces vulnerable shared passwords with identity-based access control, essential for enterprise security and compliance.
✓The architecture relies on three components: the Supplicant (client), the Authenticator (AP), and the Authentication Server (RADIUS).
✓EAP-TLS offers the highest security via mutual certificate authentication, while PEAP-MSCHAPv2 is the most widely deployed due to broader compatibility.
✓Client devices must be provisioned via MDM or GPO to strictly validate the RADIUS server certificate to prevent credential harvesting attacks.
✓RADIUS Shared Secrets must be complex, unique per AP, and rotated regularly.
✓Dynamic VLAN assignment via RADIUS allows IT to segment traffic (e.g., staff vs. IoT) using a single corporate SSID.
✓Corporate 802.1X networks must be kept logically separated from Guest WiFi networks, which should utilise dedicated captive portal platforms.

Resumo Executivo

Para redes empresariais, as PSKs (Pre-Shared Keys) partilhadas já não são suficientes para proteger a infraestrutura corporativa. À medida que as organizações enfrentam mandatos de conformidade mais rigorosos (PCI DSS, GDPR) e uma superfície de ataque em expansão, a transição para a autenticação 802.1X é um imperativo de segurança crítico.

Este guia fornece um passo a passo de implementação prático e independente de fornecedor para configurar o 802.1X em pontos de acesso empresariais. Abordamos a arquitetura central — Suplicante, Autenticador e Servidor de Autenticação — juntamente com a gestão de certificados, a configuração RADIUS e as armadilhas comuns de implementação. Para gestores de TI e arquitetos de rede que operam em ambientes de retalho, hotelaria ou setor público, esta referência fornece os passos acionáveis necessários para implementar um controlo de acesso à rede robusto e baseado em identidade, mantendo o tráfego corporativo e de convidados estritamente separado.

Ouça o nosso podcast complementar abaixo para uma visão geral de 10 minutos da arquitetura e estratégias de implementação.

Análise Técnica Detalhada: A Arquitetura 802.1X

O padrão IEEE 802.1X define o controlo de acesso à rede baseado em porta. Num contexto sem fios, impede que um dispositivo cliente envie ou receba tráfego de dados até que se tenha autenticado com sucesso num diretório central.

Os Três Componentes Principais

O Suplicante (Dispositivo Cliente): O software no portátil, smartphone ou dispositivo IoT que solicita acesso. Deve suportar o método EAP (Extensible Authentication Protocol) escolhido.
O Autenticador (Ponto de Acesso / WLC): O dispositivo de rede que atua como porteiro. Abre uma "porta controlada" que só permite tráfego EAP até que a autenticação seja bem-sucedida.
O Servidor de Autenticação (RADIUS): O servidor central (por exemplo, Microsoft NPS, FreeRADIUS, Cisco ISE) que valida as credenciais contra um armazenamento de identidade (como o Active Directory) e retorna uma mensagem de Access-Accept ou Access-Reject.

Métodos EAP: Escolher a Postura de Segurança Correta

A escolha do método EAP dita o seu nível de segurança e a complexidade da implementação.

EAP-TLS (Transport Layer Security): O padrão de excelência. Requer certificados de servidor e cliente. Não são transmitidas palavras-passe. Essencial para ambientes de alta segurança, mas requer uma Infraestrutura de Chave Pública (PKI) completa.
PEAP-MSCHAPv2 (Protected EAP): A implementação empresarial mais comum. Utiliza um certificado do lado do servidor para criar um túnel TLS seguro, dentro do qual o cliente envia um nome de utilizador e uma palavra-passe. Mais fácil de implementar, mas vulnerável à recolha de credenciais se os dispositivos cliente não estiverem configurados para validar estritamente o certificado do servidor.
EAP-SIM/AKA: Utiliza credenciais de cartão SIM para autenticação. Cada vez mais relevante para o onboarding contínuo em centros de Transporte e grandes espaços públicos.

Guia de Implementação: Configuração Passo a Passo

A implementação de 802.1X requer uma configuração coordenada entre o seu servidor RADIUS, os seus pontos de acesso e os seus dispositivos cliente.

Passo 1: Preparação do Servidor RADIUS

Quer esteja a utilizar o Microsoft Network Policy Server (NPS) ou uma alternativa, os princípios centrais permanecem idênticos.

Definir Clientes RADIUS: Registe cada Ponto de Acesso (ou Controlador de LAN Sem Fios) no seu servidor RADIUS. Atribua um Segredo Partilhado forte e gerado aleatoriamente (mínimo de 22 caracteres) para proteger as comunicações entre o AP e o servidor RADIUS.
Instalar o Certificado do Servidor: Para PEAP ou EAP-TLS, instale um certificado X.509 no servidor RADIUS. A utilização de um certificado de uma Autoridade de Certificação (CA) pública fidedigna simplifica a implementação para ambientes BYOD, uma vez que o certificado raiz já é fidedigno pelos sistemas operativos cliente.

Passo 2: Configuração de Políticas

Configure as suas políticas de rede para ditar os direitos de acesso com base na identidade.

Políticas de Pedido de Conexão: Defina como o servidor RADIUS lida com os pedidos recebidos. Tipicamente, isto envolve corresponder o NAS-Port-Type (Wireless - IEEE 802.11) e autenticar os pedidos localmente.
Políticas de Rede: Mapeie grupos do Active Directory para direitos de acesso à rede. Por exemplo, mapeie o grupo 'Domain Computers' para a VLAN corporativa. Utilize atributos RADIUS (Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=[VLAN_ID]) para atribuir VLANs dinamicamente após autenticação bem-sucedida.

Passo 3: Configuração do Ponto de Acesso

Configure o SSID na sua infraestrutura sem fios (por exemplo, Meraki, Aruba, Cisco).

Crie um novo SSID e selecione WPA2-Enterprise ou WPA3-Enterprise.
Introduza o endereço IP dos seus servidores RADIUS primário e secundário.
Introduza o Segredo Partilhado definido no Passo 1.
Ative a Atribuição Dinâmica de VLAN se o seu servidor RADIUS estiver a enviar atributos de VLAN.

Passo 4: Provisionamento do Suplicante Cliente

Este é o passo mais crítico e frequentemente negligenciado. Não dependa dos utilizadores para configurar manualmente os seus dispositivos.

Dispositivos Corporativos: Utilize Objetos de Política de Grupo (GPO) ou a sua plataforma de Gestão de Dispositivos Móveis (MDM) para enviar o perfil WiFi. O perfil deve especificar a CA Raiz fidedigna e o nome exato do seu servidor RADIUS para prevenir ataques Evil Twin.
BYOD: Implemente um portal de onboarding ou uma solução MDM para enviar perfis seguros para os funcionários-dispositivos próprios.

Melhores Práticas e Padrões da Indústria

Para garantir uma implementação robusta, siga as seguintes melhores práticas arquitetónicas:

Validação Rigorosa de Certificados: Nunca permita que os clientes aceitem cegamente qualquer certificado de servidor. Este é o principal vetor para a recolha de credenciais PEAP.
Isolar o Tráfego de Convidados: A sua infraestrutura 802.1X destina-se ao acesso corporativo. O tráfego de convidados deve permanecer completamente segregado. Implemente uma plataforma dedicada de Guest WiFi com o seu próprio captive portal e camada de análise. Conforme discutido no nosso guia sobre Proteja a Sua Rede com DNS e Segurança Fortes , a separação lógica é fundamental para a defesa da rede.
Implementar Redundância: O RADIUS é um serviço de caminho crítico. Implemente servidores RADIUS primários e secundários. Em ambientes distribuídos, como grandes cadeias de Retalho , considere proxies RADIUS locais para garantir a continuidade se a ligação WAN cair.

Resolução de Problemas e Mitigação de Riscos

Quando as implementações falham, geralmente deve-se a alguns erros de configuração comuns:

Erros de Tempo Limite do RADIUS: Frequentemente causados por um Shared Secret incompatível entre o AP e o servidor RADIUS, ou por regras de firewall que bloqueiam as portas UDP 1812 (Autenticação) e 1813 (Contabilidade).
Rejeição de Cliente: Verifique os registos de eventos do RADIUS (por exemplo, Windows Event Viewer -> Custom Views -> Server Roles -> Network Policy and Access Services). Procure o Event ID 6273. As causas comuns incluem certificados de cliente expirados ou o cliente não conseguir confiar na cadeia de certificados do servidor.
Falhas na Atribuição de VLAN: Se a autenticação for bem-sucedida, mas o cliente não obtiver um endereço IP, verifique se a porta do switch conectada ao AP está configurada como uma porta trunk que permite a VLAN atribuída dinamicamente.

ROI e Impacto no Negócio

A implementação de 802.1X gera um ROI operacional e de segurança significativo:

Mitigação de Riscos: Elimina o risco de um único PSK comprometido violar toda a rede corporativa, apoiando diretamente os esforços de conformidade com PCI DSS e GDPR.
Eficiência Operacional: Centraliza o controlo de acesso. Quando um funcionário sai, desativar a sua conta do Active Directory revoga imediatamente o seu acesso WiFi. Não há necessidade de rodar PSKs em toda a empresa.
Visibilidade da Rede: Oferece visibilidade granular sobre exatamente quem está na rede e que dispositivo está a usar, permitindo um melhor planeamento de capacidade e caça a ameaças.

Para ambientes complexos e de alta densidade, como estádios ou locais de Hotelaria , gerir a segurança corporativa juntamente com o acesso de convidados é um desafio. Ao proteger os ativos corporativos com 802.1X e aproveitar uma plataforma robusta de WiFi Analytics para o tráfego de visitantes, os líderes de TI podem fornecer conectividade segura e escalável que serve tanto o negócio quanto os seus clientes. Para obter informações sobre a gestão de ambientes de alta densidade, consulte o nosso WiFi para Jardins Zoológicos e Parques Temáticos: Guia de Conectividade para Locais de Grande Afluência .

GuidesSlugPage.keyDefinitionsTitle

802.1X

An IEEE standard for port-based network access control that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

The foundational protocol for enterprise WiFi security, replacing vulnerable shared passwords.

Supplicant

The client device or software application requesting access to the network.

IT teams must manage supplicant configuration via MDM to ensure secure connections.

Authenticator

The network device (Access Point or Switch) that facilitates the authentication process by acting as a proxy between the Supplicant and the Authentication Server.

Configured with the RADIUS server IP and a shared secret to securely forward EAP traffic.

RADIUS

Remote Authentication Dial-In User Service; a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management.

The backend server (like Microsoft NPS) that actually validates the user's credentials against a directory.

EAP (Extensible Authentication Protocol)

An authentication framework frequently used in wireless networks and point-to-point connections, supporting multiple authentication methods.

The 'language' spoken between the Supplicant and the RADIUS server.

EAP-TLS

An EAP method that uses Transport Layer Security, requiring both server and client-side certificates for mutual authentication.

The most secure method available, often mandated for high-security or classified environments.

PEAP

Protected Extensible Authentication Protocol; encapsulates EAP within an encrypted and authenticated TLS tunnel.

The most widely deployed enterprise method, balancing security with ease of deployment by only requiring a server-side certificate.

Dynamic VLAN Assignment

The process where a RADIUS server instructs the Access Point to place an authenticated user onto a specific VLAN based on their directory group membership.

Crucial for segmenting network traffic (e.g., separating HR, Engineering, and IoT devices) while broadcasting only a single corporate SSID.

GuidesSlugPage.workedExamplesTitle

A 300-room luxury hotel needs to secure its back-of-house operational network (staff tablets, VoIP phones, management laptops) while keeping it entirely separate from the guest network. They currently use a single PSK for staff.

Deploy Microsoft NPS linked to the hotel's existing Active Directory.
Configure PEAP-MSCHAPv2, using a public certificate (e.g., DigiCert) on the NPS server to simplify tablet onboarding.
Create an 802.1X SSID ('Hotel_Ops') on the APs.
Use the hotel's MDM platform to push the 'Hotel_Ops' WiFi profile to all staff tablets and laptops, explicitly configuring the profile to trust the DigiCert root CA and validate the NPS server name.
Maintain the existing open guest SSID, routing it through Purple's captive portal for terms acceptance and analytics, ensuring guest VLANs cannot route to the operational VLANs.

GuidesSlugPage.examinerCommentary This approach balances security with deployment complexity. By using a public certificate on the RADIUS server, the hotel avoids the overhead of deploying a full PKI while still eliminating the shared PSK risk. The strict separation of guest and corporate traffic via VLANs and distinct authentication mechanisms aligns with PCI DSS requirements for the hotel's point-of-sale systems.

A university campus is migrating to 802.1X and needs to support a massive BYOD environment for 15,000 students across various operating systems.

Deploy a robust RADIUS cluster (e.g., FreeRADIUS or Cisco ISE) with load balancing.
Implement PEAP-MSCHAPv2 for broad device compatibility.
Deploy an onboarding portal (e.g., SecureW2) that automatically configures the student's device supplicant to use the correct EAP settings and trust the university's RADIUS server certificate.
Use dynamic VLAN assignment via RADIUS attributes to place students into appropriate subnets based on their campus location to manage broadcast domains.

GuidesSlugPage.examinerCommentary In higher education, BYOD is the primary challenge. Relying on manual configuration by students guarantees high helpdesk ticket volume and insecure configurations (users accepting invalid certificates). The onboarding portal is the critical success factor here, ensuring the supplicant is locked down to prevent credential harvesting.

GuidesSlugPage.practiceQuestionsTitle

Q1. Your organisation is deploying 802.1X using PEAP-MSCHAPv2. During testing, users report they are prompted to 'Accept a Certificate' when connecting for the first time. How should you address this?

GuidesSlugPage.hintPrefixConsider the security implications of allowing users to make trust decisions regarding network infrastructure.

GuidesSlugPage.viewModelAnswer

You must configure the client supplicant profiles (via MDM or Group Policy) to explicitly trust the Root CA that issued the RADIUS server's certificate, and to validate the specific server name. Relying on users to manually accept certificates trains them to ignore security warnings and leaves the network vulnerable to Evil Twin (credential harvesting) attacks.

Q2. You need to secure a fleet of warehouse barcode scanners. They support WPA2-Enterprise but do not have a mechanism to install client certificates or join Active Directory. What is the most secure deployment approach?

GuidesSlugPage.hintPrefixEvaluate the EAP methods that do not require client-side certificates but still provide encrypted authentication.

GuidesSlugPage.viewModelAnswer

Deploy PEAP-MSCHAPv2. Create a dedicated service account in your directory for the scanners. Configure the RADIUS server with a server certificate to establish the TLS tunnel, and configure the scanners to authenticate using the service account credentials inside the tunnel. Ensure the RADIUS policy restricts this service account to a specific, isolated warehouse VLAN.

Q3. After configuring the APs and the RADIUS server, client devices successfully authenticate (verified in RADIUS logs with an Access-Accept), but they fail to receive an IP address and cannot access the network. What is the most likely infrastructure issue?

GuidesSlugPage.hintPrefixAuthentication has succeeded, meaning the 802.1X phase is complete. The issue lies in the subsequent network provisioning phase.

GuidesSlugPage.viewModelAnswer

The most likely issue is a VLAN misconfiguration on the wired network. If the RADIUS server is using dynamic VLAN assignment to place the client on a specific VLAN (e.g., VLAN 20), the switch port connecting the Access Point must be configured as an 802.1Q trunk port that allows VLAN 20. If the VLAN is not trunked to the AP, the client's DHCP requests will be dropped.