This post explains how to implement 802.1X authentication with a RADIUS back end to enforce authorized wireless access in order to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control AC.L2-3.1.16, with practical steps, configuration examples, and small-business scenarios.
\n\nAC.L2-3.1.16 expects organizations to limit wireless access to authorized users and devices — which maps directly to using WPA2/WPA3-Enterprise (802.1X) with a centralized authentication server (RADIUS) and authoritative identity source (e.g., Active Directory, LDAP). The key objectives are: authenticate users and/or devices before granting network access, apply per-user or per-device policy (VLAN, ACLs), log authentication events for auditing, and prevent unauthorized devices from accessing Controlled Unclassified Information (CUI) or sensitive segments.
\n\nDesign choices you must make up front include: which SSIDs map to CUI vs. guest traffic (segmentation), choice of EAP method (EAP-TLS strongly preferred for mutual cert-based auth, EAP-PEAP/MSCHAPv2 as fallback for environments that can't issue device certs), certificate authority (internal AD CS or a managed CA), RADIUS server topology (single server with hot-standby or HA cluster), and how the RADIUS server will reach your identity store (AD, LDAP, or cloud directory). Also decide whether to do machine certs (device authentication), user certs, or both (recommended for higher assurance).
\n\nTypical sequence: (1) Stand up a RADIUS server (Microsoft NPS, FreeRADIUS, or commercial options like Cisco ISE/Duo), (2) Deploy an internal CA or certificate service to issue client and server certs, (3) Configure the RADIUS server to use EAP-TLS (certificate validation chain), or EAP-PEAP if you must, (4) Integrate RADIUS with AD or LDAP for group-based policy, (5) Configure RADIUS accounting and forward logs to your SIEM for audit. For example, on FreeRADIUS you will enable the eap module and point to your server certificate + private key, and require client cert verification (ca_file) for EAP-TLS.
\n\nConfigure each wireless controller/AP and any 802.1X-capable switch to point to the RADIUS servers using strong shared secrets and IP allowlists. Use RADIUS attributes for dynamic VLAN assignment or to apply downloadable ACLs. Example RADIUS attributes for VLAN push: Tunnel-Type = VLAN (13), Tunnel-Medium-Type = IEEE-802 (6), Tunnel-Private-Group-ID = \"20\" (VLAN ID). Ensure APs/switches use re-authentication timers (e.g., 3600s) and support fast roaming if required. Also implement a secure fallback for RADIUS unavailability (deny or use restricted guest VLAN), rather than silently allowing open access.
\n\nExample: A 50-person engineering firm using Windows Server AD + NPS and Unifi APs. Steps they took: install AD CS for internal CA, configure NPS with an NPS policy that requires machine or user certificate (EAP-TLS) and checks AD group membership \"CUI-Access\" to allow access to the \"CUI-VLAN\". Unifi APs were configured with primary/secondary NPS IPs and a shared secret. Workstations auto-enrolled for machine certs via Group Policy; mobile devices received user certs through an MDM using SCEP. The firm enabled NPS accounting and forwarded logs to a small SIEM for monthly compliance review. This produced a clear audit trail and allowed immediate revocation of access when an employee left.
\n\nBest practices: prefer EAP-TLS with short-lived client certificates (1 year or less) and automated enrollment; harden your RADIUS servers (patching, host-based firewall, strict ACLs for APs only); enable RADIUS accounting and centralized logging; use certificate revocation checking (CRL/OCSP) on the RADIUS server; protect shared secrets and use TLS-based RADIUS (RadSec) if traversing untrusted networks. Maintain documented procedures for onboarding/offboarding to revoke certificates and AD group membership. Perform periodic penetration tests and wireless scans to detect rogue APs and MAB (MAC-auth bypass) vulnerabilities.
\n\nWithout proper 802.1X enforcement you risk unauthorized devices joining internal wireless networks, lateral movement, data exfiltration, and failure to meet audit requirements for NIST SP 800-171/CMMC. Weak EAP choices (e.g., unprotected MSCHAPv2 without mutual auth), misconfigured RADIUS fallback (open guest on fail), or lack of certificate management can all create exploitable gaps. Non-compliance can lead to failed assessments, lost contracts, and regulatory penalties for organizations handling CUI.
\n\nImplementing 802.1X with a RADIUS back end is a practical, standards-aligned way to meet AC.L2-3.1.16: segment wireless networks, authenticate users and devices, and maintain auditable access records. For small businesses, using AD + NPS or a managed cloud RADIUS with EAP-TLS and automated certificate issuance provides a cost-effective path. Prioritize certificate lifecycle management, logging, and redundancy, and document onboarding/offboarding processes to keep wireless access tightly controlled and auditable for NIST/CMMC compliance.
", "plain_text": "This post explains how to implement 802.1X authentication with a RADIUS back end to enforce authorized wireless access in order to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control AC.L2-3.1.16, with practical steps, configuration examples, and small-business scenarios.\n\nUnderstanding AC.L2-3.1.16 and the role of 802.1X + RADIUS\nAC.L2-3.1.16 expects organizations to limit wireless access to authorized users and devices — which maps directly to using WPA2/WPA3-Enterprise (802.1X) with a centralized authentication server (RADIUS) and authoritative identity source (e.g., Active Directory, LDAP). The key objectives are: authenticate users and/or devices before granting network access, apply per-user or per-device policy (VLAN, ACLs), log authentication events for auditing, and prevent unauthorized devices from accessing Controlled Unclassified Information (CUI) or sensitive segments.\n\nDesign and architecture — what to plan before you configure\nDesign choices you must make up front include: which SSIDs map to CUI vs. guest traffic (segmentation), choice of EAP method (EAP-TLS strongly preferred for mutual cert-based auth, EAP-PEAP/MSCHAPv2 as fallback for environments that can't issue device certs), certificate authority (internal AD CS or a managed CA), RADIUS server topology (single server with hot-standby or HA cluster), and how the RADIUS server will reach your identity store (AD, LDAP, or cloud directory). Also decide whether to do machine certs (device authentication), user certs, or both (recommended for higher assurance).\n\nStep-by-step implementation: RADIUS, CA, and EAP configuration\nTypical sequence: (1) Stand up a RADIUS server (Microsoft NPS, FreeRADIUS, or commercial options like Cisco ISE/Duo), (2) Deploy an internal CA or certificate service to issue client and server certs, (3) Configure the RADIUS server to use EAP-TLS (certificate validation chain), or EAP-PEAP if you must, (4) Integrate RADIUS with AD or LDAP for group-based policy, (5) Configure RADIUS accounting and forward logs to your SIEM for audit. For example, on FreeRADIUS you will enable the eap module and point to your server certificate + private key, and require client cert verification (ca_file) for EAP-TLS.\n\nAccess point and switch configuration, VLANs, and policy enforcement\nConfigure each wireless controller/AP and any 802.1X-capable switch to point to the RADIUS servers using strong shared secrets and IP allowlists. Use RADIUS attributes for dynamic VLAN assignment or to apply downloadable ACLs. Example RADIUS attributes for VLAN push: Tunnel-Type = VLAN (13), Tunnel-Medium-Type = IEEE-802 (6), Tunnel-Private-Group-ID = \"20\" (VLAN ID). Ensure APs/switches use re-authentication timers (e.g., 3600s) and support fast roaming if required. Also implement a secure fallback for RADIUS unavailability (deny or use restricted guest VLAN), rather than silently allowing open access.\n\nSmall business real-world example\nExample: A 50-person engineering firm using Windows Server AD + NPS and Unifi APs. Steps they took: install AD CS for internal CA, configure NPS with an NPS policy that requires machine or user certificate (EAP-TLS) and checks AD group membership \"CUI-Access\" to allow access to the \"CUI-VLAN\". Unifi APs were configured with primary/secondary NPS IPs and a shared secret. Workstations auto-enrolled for machine certs via Group Policy; mobile devices received user certs through an MDM using SCEP. The firm enabled NPS accounting and forwarded logs to a small SIEM for monthly compliance review. This produced a clear audit trail and allowed immediate revocation of access when an employee left.\n\nCompliance tips, best practices, and operational considerations\nBest practices: prefer EAP-TLS with short-lived client certificates (1 year or less) and automated enrollment; harden your RADIUS servers (patching, host-based firewall, strict ACLs for APs only); enable RADIUS accounting and centralized logging; use certificate revocation checking (CRL/OCSP) on the RADIUS server; protect shared secrets and use TLS-based RADIUS (RadSec) if traversing untrusted networks. Maintain documented procedures for onboarding/offboarding to revoke certificates and AD group membership. Perform periodic penetration tests and wireless scans to detect rogue APs and MAB (MAC-auth bypass) vulnerabilities.\n\nRisks of not implementing 802.1X + RADIUS correctly\nWithout proper 802.1X enforcement you risk unauthorized devices joining internal wireless networks, lateral movement, data exfiltration, and failure to meet audit requirements for NIST SP 800-171/CMMC. Weak EAP choices (e.g., unprotected MSCHAPv2 without mutual auth), misconfigured RADIUS fallback (open guest on fail), or lack of certificate management can all create exploitable gaps. Non-compliance can lead to failed assessments, lost contracts, and regulatory penalties for organizations handling CUI.\n\nSummary\nImplementing 802.1X with a RADIUS back end is a practical, standards-aligned way to meet AC.L2-3.1.16: segment wireless networks, authenticate users and devices, and maintain auditable access records. For small businesses, using AD + NPS or a managed cloud RADIUS with EAP-TLS and automated certificate issuance provides a cost-effective path. Prioritize certificate lifecycle management, logging, and redundancy, and document onboarding/offboarding processes to keep wireless access tightly controlled and auditable for NIST/CMMC compliance." }, "metadata": { "description": "Step-by-step guidance to implement 802.1X with RADIUS (WPA2/WPA3-Enterprise) to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 AC.L2-3.1.16 and enforce authorized wireless access.", "permalink": "/how-to-configure-8021x-and-radius-to-enforce-authorized-wireless-access-nist-sp-800-171-rev2-cmmc-20-level-2-control-acl2-3116-implementation.json", "categories": [], "tags": [] } }