IT OT Convergence

802.1X

2 min read

What is 802.1X?

802.1X is a network access control protocol that authenticates devices or users before granting them network access. It is part of the IEEE 802 family of standards and is commonly used in combination with Switches, Wifi and RADIUS servers.

In OT networks, 802.1X is a powerful way to prevent unauthorised access to critical network segments — particularly in mixed IT/OT environments.

🧠 How does 802.1X work?

  1. An end device (the supplicant) attempts to connect to the network through a Switch or wireless access point (the authenticator)
  2. The switch blocks network access until authentication succeeds
  3. The switch forwards the authentication request to a RADIUS server (the authentication server)
  4. After successful authentication, the device is granted network access

802.1X supports authentication based on:

  • Username/password (e.g. EAP-MSCHAPv2)
  • Digital certificates (e.g. EAP-TLS)
  • MAC authentication bypass for devices without 802.1X support

🏭 Use of 802.1X in OT networks

  • Access control for maintenance staff laptops
  • Secure access to OT network segments from engineering stations
  • Port Security via 802.1X on Switches in zones 2 and 3
  • Authentication of devices using certificates or MAC authentication
  • Segmentation by user or device role through VLAN assignment

802.1X is often combined with Zero Trust principles in modern industrial networks.

🔍 802.1X vs. Port security

Aspect 802.1X Port security
Authentication User/identity-based MAC address-based
Security Stronger, with encryption and certificates supported Simple but vulnerable to MAC spoofing
Flexibility Dynamic VLAN assignment possible Static MAC assignment policy
Management Requires RADIUS server and certificate management Configured at switch level
Use in OT For modern and hybrid environments For fixed, static installations

🔐 Security considerations

  • Use EAP-TLS with certificates for the most secure implementation
  • Combine with Firewall, SIEM and Syslog for full visibility
  • Configure fail-closed behaviour: no network access without authentication
  • For non-802.1X devices (such as older PLCs): use MAC authentication bypass
  • Restrict access by role or user using RBAC and VLAN assignment

802.1X significantly improves the security posture of industrial networks — provided it is implemented correctly.

📌 In summary

802.1X provides secure, identity-based network access and is ideal for hybrid IT/OT environments where reliability and security are both essential. It is more capable than Port Security and supports dynamic, context-aware access.

Graph View