Case Study: 802.1X-Based Guest Network for a Wired LAN
26 February 2010

Lawrence Orans

Gartner RAS Core Research Note G00174299

We analyze how a large business implemented 802.1X to keep unmanaged endpoints off its corporate network. Network managers seeking cost-effective authentication solutions may be able to emulate the success of this project and position their networks for broader network access control deployments.


This Case Study outlines how an organization implemented 802.1X in its wired LAN to authenticate managed devices and to direct unmanaged devices to a guest network. Network managers will learn from this case study how to overcome some common operational challenges associated with managing an 802.1X environment.

Key Findings
  • Deploying 802.1X requires integrating multiple components — 802.1X is not a turnkey solution.
  • The cost of deploying an 802.1X solution varies widely, depending on whether your infrastructure is 802.1X-ready or whether you will need to upgrade it to support 802.1X. Some organizations may need to invest in new LAN switches and/or endpoint operating systems to create an 802.1X-ready infrastructure.
  • Maintaining an 802.1X-based LAN does not have to be a labor-intensive effort. In this Case Study, support engineers spend fewer than five hours per month maintaining and troubleshooting the system.
  • Consider 802.1X-based authentication if your network infrastructure and endpoint operating systems have embedded support for this standard. If not, a commercial network access control (NAC) solution may be more cost-effective than an infrastructure upgrade.
  • Carefully test the components of your 802.1X solution in a lab or proof-of-concept environment. Vendor implementations of the standard may vary. Be prepared to tweak configuration settings to achieve interoperability.
  • Develop multiple use cases to deal with operational challenges, such as reimaged endpoints. Also, develop a scalable and automated approach for identifying and supporting non-802.1X endpoints, such as printers, IP phones and security cameras.

What You Need to Know

Enterprises that are considering an 802.1X-based guest network for their wired LAN may need to add supplemental tools and processes to deal with operational challenges. Creating and maintaining an exception list of Media Access Control (MAC) addresses for authenticating non-802.1X endpoints is a common requirement. Granting access to newly reimaged PCs presents different challenges, depending on the authentication mechanism — Extensible Authentication Protocol (EAP) type. There is no such thing as a turnkey 802.1X implementation. Be prepared to integrate tools and procedures to develop a complete guest networking solution.

Case Study


Many network managers seek to gain more control over their networks by requiring users and/or devices to authenticate before gaining access to the wired LAN. 802.1X-based authentication is already a "must do" on wireless LANs. The guest network concept, where guests and visitors are isolated on a separate network and restricted to Internet access only, is common in wireless networks found in public areas (for example, conference rooms and lobby/receptionist areas). Many network managers seek to extend authentication and guest networking to their wired LANs, and this Case Study illustrates how to do so using 802.1X. Here, we analyze the technical and operational challenges of deploying a successful 802.1X-based network.

The Challenge

Business executives at a large software vendor were concerned about intellectual property theft. One of their main fears was that anyone with network access might be able to steal valuable source code and other confidential data. They tasked the network team with adding intelligence to the network, so that it would be able to control access to resources based on a user's role. The network team and the business executives agreed that the first step in this process would be to enable the network to differentiate between employees and guests, and to limit guests to Internet access only.

The organization has more than 50,000 employees worldwide. The initial project began in 2007, with the intent of reaching 10,000 employees spanning 11 locations by 2009.


The network team considered in-band and out-of-band NAC solutions. The in-band offerings, in which access is enforced by dropping/filtering packets, offered the ability to establish granular identity-based policies, but ultimately were deemed too expensive to implement. Because the in-line approach requires deploying NAC appliances in the line of traffic, it is not as cost-effective as the out-of-band approach. 802.1X was selected as the technology for the out-of-band method, because much of the organization's infrastructure was 802.1X-ready. The organization implemented the three components of 802.1X as follows:

  • Supplicant — The network team decided to use the embedded Windows supplicant, because nearly all the organization's PCs (approximately 90% XP SP2 and 10% Vista) already included this capability. They explored third-party supplicants, but passed on them, primarily due to the additional expense of acquiring third-party software and the challenges of deploying desktop additional software. A tool from Cloudpath Networks was selected to automatically configure Windows 802.1X supplicants. Microsoft's SMS was used to silently install the configuration tool on 68,000 PCs.
  • Authenticator — Cisco switches perform the authenticator function. Approximately 10% of the switches needed firmware upgrades to update their 802.1X support.
  • Authentication server — Cisco's Secure Access Control Server (ACS) product acts as the RADIUS server for authentication. The network manager deployed seven pairs of ACS Servers (version 4.2). The servers were positioned in the U.S., Europe, the Middle East, Africa and Asia/Pacific for high-availability purposes and to balance the load of authenticating a worldwide workforce.

Choosing an EAP type was an important aspect of the project. The network manager chose to implement Protected EAP-Microsoft Challenge Handshake Authentication Protocol (PEAP MS-CHAP) v2, because it entails less overhead than other common EAP mechanisms. Extensible Authentication Protocol Transport Layer Security (EAP-TLS) was rejected as an option because of its public-key infrastructure (PKI) requirements and the need to deploy machine certificates on desktops. PEAP MS-CHAP v2 uses a user's Active Directory user ID and password credentials and does not require changes to Windows PCs or support from the desktop team. Gartner usually recommends EAP-TLS, because its reliance on certificates ensures a more secure approach to authentication. Many organizations have been able to successfully implement and manage a PKI using the capabilities embedded in Microsoft's Windows Server 2003 or Server 2008.

Several of the organization's endpoint types (for example, printers, videoconference equipment and security cameras) do not support an 802.1X supplicant and cannot participate in the authentication process. For these endpoints, the organization enabled Cisco's MAC Authentication Bypass (MAB), a feature on Catalyst switches. If the switch determines that an endpoint is not participating in the 802.1X process, MAB will attempt to authenticate the endpoint based on the endpoint's MAC address. (Note: To implement MAB, an organization must create and maintain a MAC address database or "exception list" of MAC addresses in Cisco's ACS RADIUS server).

To take an inventory of its LAN switches and their firmware levels, the network team used an internally developed asset management tool and the CiscoWorks Network Compliance Manager. These tools helped the network team to discover approximately 9,000 unmanaged switches (with no 802.1X support) that had been deployed throughout the organization's global network. Most of these were eight-port switches that had been purchased by developer teams to create ad hoc networks in conference rooms and cubicles. The network team wants to discourage this type of behavior, because it can lead to network instability, and it may enable users to bypass the authentication process (see Note 1).

To prevent the ad hoc addition of unmanaged switches to the corporate LAN, the network team implemented a feature that requires a Cisco switch to authenticate before it connects to another Cisco switch. The feature is known as Network Edge Access Topology (NEAT), and it works by enabling an 802.1X supplicant on the connecting switch. As part of an ongoing LAN switch refresh project that is being funded from a separate budget, the 9,000 unmanaged switches are being phased out and are being replaced with Cisco NEAT-capable switches. Gartner notes that widespread deployment of NEAT will enhance LAN security, but may also lead to being locked in to an all-Cisco infrastructure. In theory, any switch with an 802.1X supplicant should be able to authenticate to a NEAT-enabled Cisco switch, but due to a lack of interoperability testing, Gartner cautions against this implementation. A standards-based approach to switch-to-switch authentication is part of the Institute of Electrical and Electronics Engineers (IEEE) 802.1X-2010 specification (see Note 2). Gartner estimates that 802.1X-2010 will become widely available on LAN switches by 2011 (via firmware upgrades), which will give organizations the flexibility to authenticate switch-to-switch connections in a heterogeneous LAN environment.

  • 802.1X authentication works well. The end-user sign-in process is unchanged, and 802.1X hasn't added a noticeable login delay. The typical user is unaware of the 802.1X implementation.
  • Gartner estimates that the cost of the 14 Cisco ACS servers and the supplicant autoconfiguration tool was approximately $130,000 (after discounts).
  • The project team enabled 20,000 switch ports with 802.1X and configured 10,000 PCs with 802.1X supplicants across 11 sites. The project team was composed of six IT staffers divided equally among regional centers in North America, Europe and Asia/Pacific. In each region, one person focused on desktop/supplicant issues, and the other person was responsible for ACS and Catalyst switch configuration. The project team worked on a part-time basis — no one was dedicated to the project. The team also spent one to two days at each of the 11 sites training IT staff at remote offices to perform basic troubleshooting.
  • Now that the solution is in place, support engineers spend fewer than five hours per month maintaining the system (including keeping the exception list of MAC addresses up to date) and troubleshooting failed logins.
  • As part of an effort to reduce expenses, the wired and wireless RADIUS servers are being consolidated. The network team had been concerned about the load that would be placed on Cisco ACS servers, and it initially chose to implement servers dedicated to wired LAN authentication. After studying the utilization of these authentications servers, the network team determined that dedicated servers were no longer necessary.
  • The network team has begun to implement the second phase of the 802.1X project. The team is using a combination of virtual LAN segmentation and access control lists (ACLs) on switch ports to enforce basic identity-based policies. In this phase, the network recognizes three roles (guests, engineering employees and nonengineering employees), and directs traffic according to user-based authorization and access policies.
  • In 2011, the company plans to evaluate network solutions that would enable it to manage and enforce more-granular identity-aware networking policies. Its goal is to improve its ability to monitor and control user activity on the network.

Critical Success Factors
  • Proof of concept — The organization conducted an extensive proof of concept before deployment. Scenarios were tested in the lab, and the organization learned that it needed to adjust timers in the switch configuration. The solution was piloted in a small number of switches before expanding the deployment.
  • Automated log analysis — Once the project was implemented, the network team relied heavily on log analysis for troubleshooting. Every day, the team generated a report (based on internally developed scripts) that automatically analyzed Cisco ACS syslogs and Catalyst switch logs to determine which users failed authentication and why. (The internal script used the Unix grep command to search for text strings in the logs.) Because the organization is a software development house, it had the internal resources and expertise to write the scripts. Most organizations are unable or unwilling to develop custom log processing scripts. The lack of troubleshooting tools has been an obstacle to 802.1X scalability and adoption. Cisco has released some log analysis capabilities in its Version 5.1 of ACS, and Gartner anticipates that other vendors will add troubleshooting features to their solutions in 2010.

Lessons Learned
  • Automation and scalability — The network team could have used a more automated process to help accelerate and scale the implementation. One of the most challenging aspects was populating the database of MAC addresses used for the MAB function. For example, the network team needed to rely on the printer team for a list of printer MAC addresses, and it also had to search content addressable memory in LAN switches. The network team will evaluate Cisco's network profiling solution, because it automatically discovers and categorizes endpoints (for example, printer, IP phone and security camera). Note: Bradford Networks and Great Bay Software (the OEM provider to Cisco) also offer network profiling solutions.
  • Reimaged endpoints — Endpoints at remote locations (without on-site support personnel) that need to be reimaged presented a challenge to the support team. Before Windows is reinstalled, PCs boot from the basic input/output system — as part of the Preboot Execution Environment (PXE) boot process. Because the BIOS lacks an 802.1X supplicant, the PC cannot gain access to the network. To work around this issue, the organization is developing custom code to integrate its PXE imaging portal with an external Lightweight Directory Access Protocol server to enable dynamic MAC authentication bypass.

© 2010 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

Note 1
Bypassing Authentication

Unmanaged switches that are not 802.1X-ready may enable a user to bypass authentication on an 802.1X-managed switch. In a scenario where the unmanaged switch is connected to an 802.1X-enabled port on an upstream switch, some switches will only authenticate the first endpoint on the unmanaged switch and will allow unauthenticated access to all subsequent endpoints. This scenario can be prevented if the managed switch port is able to authenticate multiple 802.1X endpoints. Cisco and other enterprise-class LAN switch vendors support this capability on their switches.

Note 2
IEEE 802.1X-2010

802.1X-2010 is an updated version of the 802.1X-2004 specification. In addition to providing a standards-based approach to switch-to-switch authentication, it provides the cryptographic key agreement mechanisms for securing communications via the IEEE 802.1AE standard (also known as MACSec, which is short for MAC security). 802.1AE (ratified in August 2006) was designed to secure data as it traverses Ethernet LANs. For example, by using 802.1AE at the access layer and at the core, organizations can encrypt links between the switches, thereby protecting data as it flows through the network. The link encryption may be enabled or disabled on a per-hop basis. When used for switch-to-switch authentication, 802.1X-2010 does not require 802.1AE. However, to use the link encryption standardized by 802.1AE, 802.1X-2010 is required for key management purposes.