802.1x Port-based Network Access Control Overview

Introduction

802.1x Port-based Network Access Control (PNAC) with Simple Certificate Enrollment Protocol (SCEP) support enables edge nodes to authenticate with enterprise networks using certificate-based identity before being granted full network access. This allows organizations to meet enterprise security requirements when deploying edge nodes in factory and corporate environments.

How It Works

When an edge node connects to a network port with 802.1x enabled, the switch requires the device to authenticate before granting access to production network traffic. EVE-OS supports EAP-TLS (Extensible Authentication Protocol with Transport Layer Security) as the authentication method, which uses X.509 digital certificates to prove device identity to the network.

End-to-end authentication workflow

The following sequence describes the complete flow from first boot through authenticated network access:

1. The edge node sends a DHCP request that includes the vendor class identifier LFEDGE-EVE (DHCP Option 60). This identifies the device as an EVE-OS node to the network infrastructure.
2. The switch places the port in a non-authenticated bootstrap VLAN. Because the switch or DHCP server recognizes the LFEDGE-EVE vendor class identifier, it allows the device to reach Edge Infrastructure Services and the SCEP server from this restricted VLAN.
3. EVE-OS fetches its network and SCEP configuration from Edge Infrastructure Services, then follows the configured enrollment profile to request a certificate — either by communicating directly with the SCEP server, or through a controller-provided SCEP proxy.
4. EVE-OS uses the enrolled certificate to authenticate the port via 802.1x EAP-TLS. The switch validates the certificate against the RADIUS server and, on success, moves the port to the authenticated VLAN.
5. After a configurable delay (default 5 seconds), EVE-OS sends a new DHCP request to obtain an IP address from the authenticated VLAN's address range.

EVE-OS publishes the port authentication status, enrolled certificate details, and EAPOL metrics to Edge Infrastructure Services after each step.

Certificate bootstrapping

The first challenge in a certificate-based authentication model is getting the initial certificate onto a device that has not yet been provisioned. EVE-OS solves this through a quarantine VLAN approach:

1. When an edge node first connects and has no certificate, the 802.1x authentication fails and the PNAC backend places the device in a temporary quarantine VLAN.
2. EVE-OS includes the LFEDGE-EVE vendor class identifier in its DHCP discovery packets, allowing the PNAC backend to identify the device type and route it to an onboarding VLAN.
3. From the onboarding VLAN, the edge node connects to Edge Infrastructure Services and completes device onboarding.
4. As part of onboarding, Edge Infrastructure Services acts as the SCEP client on behalf of the device. The device generates a private/public key pair and a Certificate Signing Request (CSR) locally, keeping the private key on the device. Edge Infrastructure Services submits this CSR to the configured SCEP server.
5. After the SCEP server issues a signed certificate, it is deployed to the edge node.
6. With the certificate installed, EVE-OS re-authenticates to the network using 802.1x and EAP-TLS, and the switch moves the port to the production VLAN.

Certificate renewal

Edge Infrastructure Services continuously monitors certificate expiration and renewal dates on all managed edge nodes. When a certificate approaches its renewal window, Edge Infrastructure Services automatically triggers a renewal request. The device generates a new key pair and CSR, signs the renewal request with the existing certificate's private key, and submits it to the SCEP server. The renewal window is configurable as a percentage of the certificate's total validity period.

Expired certificate recovery

If an edge node comes back online with an expired certificate (for example, a device that was offline for an extended period), it cannot pass 802.1x authentication. The PNAC backend detects the expired certificate and automatically places the device back in the quarantine VLAN. Edge Infrastructure Services detects the expired certificate and initiates a new enrollment flow to issue a fresh certificate, after which the device re-authenticates to the production network.

Per-port configuration

You can designate individual ethernet ports and Wi-Fi interfaces as 802.1x-eligible at the network adapter level. 802.1x eligibility is configured per interface and activated at the project level, so you can maintain separate configurations for staging and production environments. A single device certificate is shared across all 802.1x-enabled ports on the device. Cellular interfaces do not support 802.1x authentication.

Key Benefits

• Meets enterprise security requirements. Edge nodes authenticate to the network using certificate-based identity, satisfying 802.1x enforcement policies required by enterprise and factory environments.
• Automates certificate lifecycle management. Edge Infrastructure Services handles initial certificate acquisition, proactive renewal, and expired certificate recovery without manual intervention, even across large fleets of edge nodes.
• Simplifies CA integration. Edge Infrastructure Services acts as the SCEP client for all managed devices, so your Certificate Authority only needs to allow access from a single endpoint rather than from every individual edge node.
• Supports environment-based policy control. 802.1x authentication is enabled at the project level, allowing you to enforce authentication in production while keeping it disabled in lab or staging environments.

Next Steps

This is a series of articles. You will likely follow them in this order:

1. 802.1x Port-based Network Access Control Overview  - You are here!
2. Configure 802.1x Port-based Network Access Control with Simple Certificate Enrollment Protocol