How does 802.1X authentication work with WPA2/WPA3-Enterprise?

• A. The AP automatically grants access after a password is entered on the client.
• B. RADIUS is used only for guest networks.
• C. 802.1X bypasses any server authentication.
• D. A supplicant connects to an AP (authenticator) which forwards credentials to a RADIUS server for authentication; successful auth grants access.

Answer: (D)

802.1X with WPA2/WPA3-Enterprise relies on port-based access control where the AP acts as the authenticator and the user’s device (the supplicant) must be authenticated by an authentication server, typically via RADIUS. The supplicant starts the process, the AP forwards the EAP messages to the RADIUS server, and the server validates the credentials (such as a per-user username/password or certificate). If the RADIUS server approves, the AP allows the device to access the network and both parties derive encryption keys for the wireless session. This setup uses user-based credentials rather than a shared pre‑shared key, and keys are established only after successful authentication.

RADIUS is not limited to guest networks, and 802.1X involves server authentication as part of the EAP exchange (often with mutual authentication in many EAP methods). It is also not a simple automatic grant after a password on the client, since the decision is made by the authentication server after validating the credentials.