Competencies: Security > Network Access Control

802.1X Fundamentals

Port-based NAC standard, supplicant/authenticator/server roles, EAP methods, RADIUS as backend, wired vs wireless differences.

Critical

Network Engineer, Security Engineer, IAM Engineer

EAP-TLS

Certificate-based authentication, mutual TLS, PKI requirements, machine vs user certs, supplicant configuration, troubleshooting.

Critical

Security Engineer, IAM Engineer, PKI Administrator

PEAP/EAP-MSCHAPv2

Password-based 802.1X, server certificate validation, inner/outer identity, AD integration, migration strategies to EAP-TLS.

High

Network Engineer, Security Engineer

MAB (MAC Authentication Bypass)

Fallback for non-supplicant devices, MAC address whitelisting, profiling integration, security considerations, policy sets.

High

Network Engineer, Security Engineer

Cisco ISE

Identity Services Engine, policy sets, authentication/authorization policies, profiling, posture, guest services, TrustSec.

High

Security Engineer (Cisco), Network Engineer

Downloadable ACLs (dACL)

Dynamic per-session ACLs via RADIUS, ISE policy enforcement, pre-auth vs post-auth ACLs, named ACLs, troubleshooting.

High

Security Engineer, Network Engineer

SGT/TrustSec

Security Group Tags for micro-segmentation, SGACL enforcement, SXP propagation, inline tagging, policy matrix design.

Medium

Security Engineer (Cisco), Network Architect

Posture Assessment

Endpoint compliance checking, OS version, antivirus, patches, remediation actions, AnyConnect ISE Posture module.

High

Security Engineer, Endpoint Security

Identity PSK (iPSK)

Per-device pre-shared keys, ISE integration, IoT device onboarding, BYOD segments, key rotation strategies.

Medium

Wireless Engineer, IoT Security

Guest Access

Sponsored vs self-registration, captive portals, time-limited access, bandwidth controls, acceptable use policies.

High

Network Engineer, Security Engineer

Device Profiling

Endpoint classification, DHCP fingerprinting, HTTP user-agent, CDP/LLDP, profiler policies, feed updates, custom profiles.

High

Security Engineer, Network Engineer

Certificate-Based Device Onboarding

SCEP, EST, certificate templates, MDM integration, device identity certificates, automated enrollment workflows.

Medium

Security Engineer, PKI Administrator

802.1X Authentication

Expert

Full EAP-TLS deployment — supplicant config (wpa_supplicant), RADIUS server (ISE), authenticator (Catalyst switches); debugged authentication failures at packet level

802.1X Linux, Case Studies & Change Control

No EAP-FAST, no EAP chaining, no MACSec 802.1AE

Downloadable ACL Enforcement

Advanced

Downloadable ACLs pushed via RADIUS from ISE to Catalyst switches; per-user and per-group policy enforcement; tested failopen/failclose scenarios

802.1X Linux

No SGT/TrustSec micro-segmentation at scale

Posture Assessment

Intermediate

ISE posture policies — compliance checks for OS version, AV status, patch level; configured posture conditions and remediation actions

ISE Policy

No MDM integration, no continuous posture re-assessment

Identity PSK (iPSK)

Advanced

ISE identity pre-shared key for IoT/BYOD segments at CHLA; automated iPSK rotation discussions; understand the authentication flow

ISE Policy

No iPSK at scale (1000+ devices), no automated lifecycle management