5.4.b Endpoint security
Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.
On this page
Endpoints are where users, credentials, and applications meet the network. If endpoint security is weak, the network becomes a fast path for malware, data theft, and lateral movement.
The core idea
Endpoint security answers two practical questions:
- Should this device be allowed on the network?
- What should this device be allowed to reach after it connects?
That can involve identity, posture, device type, user group, endpoint detection, host firewall state, disk encryption, OS patch level, and policy from a system like ISE.
Endpoint on access port
802.1X or MAB → RADIUS (ISE)
permit · deny · quarantine VLANNetwork access controls
Common access methods:
- 802.1X: the endpoint authenticates before normal access is granted.
- MAB: MAC Authentication Bypass for devices that cannot run 802.1X, such as printers or cameras.
- WebAuth: a web portal login, often for guests.
- Posture: checks whether the endpoint meets requirements before full access.
- Quarantine/remediation: limited network access until the endpoint is healthy.
Switchport example
Syntax varies across IOS XE releases and templates. This shows the ideas.
Keep this example as a recognition aid, not a universal deployment template. Modern Catalyst access-session syntax varies by platform, release, and ISE policy model. For ENCOR, the important thing is the flow: 802.1X or MAB authentication, RADIUS authorization, session state, and applied result such as VLAN, dACL, or SGT.
aaa new-model
radius server ISE-RADIUS-1
address ipv4 10.10.30.10 auth-port 1812 acct-port 1813
key 0 SharedSecretHere
aaa group server radius ISE-RADIUS
server name ISE-RADIUS-1
aaa authentication dot1x default group ISE-RADIUS
aaa authorization network default group ISE-RADIUS
dot1x system-auth-control
interface GigabitEthernet1/0/10
description User access port
switchport mode access
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfastWhat it means:
- Try 802.1X first.
- Fall back to MAB for non-802.1X devices.
- Allow multiple authenticated endpoints if needed, such as a phone and PC.
- Ask the AAA/RADIUS system what access policy to apply.
Verification
show authentication sessions
show authentication sessions interface GigabitEthernet1/0/10 details
show dot1x all
show radius statisticsLook for:
- Authentication method used: dot1x or mab.
- Authorization result.
- VLAN, ACL, or SGT assignment.
- Session status.
- Whether the failure is supplicant authentication, RADIUS reachability, authorization policy, or switchport session state.
EDR and posture
Endpoint Detection and Response watches host behavior after the device is on the network. Network access control decides initial or ongoing access. They work best together:
- EDR detects suspicious behavior.
- NAC/ISE can change authorization.
- Network policy contains the endpoint.
- Logs link user, device, IP, and time.
Lab
Goal: Understand endpoint admission and authorization.
Tasks:
- Configure a switch access port for 802.1X with MAB fallback.
- Point the switch at a RADIUS server.
- Connect a test endpoint with valid 802.1X credentials.
- Connect a non-802.1X endpoint and observe MAB behavior.
- Apply different authorization results: normal VLAN, restricted VLAN, downloadable ACL, or SGT if available.
- Verify the session details.
Success criteria:
- 802.1X endpoint receives normal access.
- MAB endpoint receives only the intended access.
- Session details show method, status, and policy.
Exam traps
- MAB is weaker than 802.1X because MAC addresses can be spoofed.
- Endpoint security is not just antivirus.
- Authentication success does not always mean full access; authorization decides the result.
- Posture can change access after the device is identified.