Subscribe to Our Updates
Join our community and be the first to receive exclusive insights
You are subscribed now!
.svg){kind=small}
Products
Solutions
Resources
Software Platforms
WiFi
Every device that connects to a banking network is a potential entry point for attackers. According to the IBM Cost of a Data Breach Report 2023, the average cost of a breach in the financial sector exceeded $5.9 million, the second highest of any industry. Port-based network access control using 802.1X authentication is one of the most effective, standards-based defenses banks deploy to close that risk.
This guide explains how 802.1X and MAC Authentication Bypass (MAB) work together in BFSI (Banking, Financial Services, and Insurance) environments, when to use each method, and how to implement them for RBI compliance.
802.1X is an IEEE standard for port-based network access control (NAC) that authenticates devices and users before permitting ordinary network traffic through a switch port or wireless access point. Unlike traditional network designs where any plugged-in device gets full access, 802.1X holds every connection in a restricted "pre-authentication" state until identity is verified.
The standard was originally defined for wired Ethernet but is equally applied to Wi-Fi (WPA2/WPA3-Enterprise). In a BFSI context, it is the primary mechanism for ensuring only authorized, policy-compliant devices reach core banking systems, payment gateways, and cardholder data environments.
Key components:
802.1X defines three roles that work together to authenticate every network connection before traffic is allowed to flow.
1. Supplicant β the client device (laptop, teller workstation, mobile device) that presents credentials to gain access.
2. Authenticator β the network device (managed switch or wireless access point) that controls the port. It blocks all traffic except EAPOL frames until authentication succeeds.
3. Authentication Server β typically a RADIUS server (e.g., Cisco ISE, Aruba ClearPass, FreeRADIUS) that validates the supplicant's credentials and instructs the authenticator to open or block the port.
β
EAP-TLS is the gold standard for banking networks because it requires a certificate on both the server and the client, eliminating password-based attacks and aligning with Zero Trust principles.
MAC Authentication Bypass (MAB) authenticates a device using its hardware MAC address as a credential when the device cannot perform 802.1X. The switch sends the MAC address to the RADIUS server, which either permits or denies access based on a pre-registered list.
MAB is designed for non-EAP devices that cannot run a supplicant: ATMs, IP phones, network printers, security cameras, and legacy kiosks.
For these reasons, MAB should always be treated as a controlled exception in BFSI environments, not a primary authentication strategy.
Banks and financial institutions face a unique threat environment: targeted attacks on core banking systems, strict regulatory requirements, and high-value data that makes every uncontrolled network port a liability.
Zero Trust enablement: 802.1X supports Zero Trust by verifying identity before granting access, assigning least-privilege VLANs or ACLs per role, and enabling dynamic policy changes via CoA when device posture changes (e.g., failed endpoint health check).
Auditability: Every RADIUS Accept/Reject generates a log entry with device identity, timestamp, assigned VLAN, and applied policy β creating the audit trail required by examiners and internal security teams.
Teller PCs and staff devices authenticate via 802.1X using EAP-TLS certificates issued by the bank's internal PKI. On successful authentication, RADIUS assigns the device to a role-specific VLAN (e.g., teller VLAN, supervisor VLAN) with a downloadable ACL restricting access to only the permitted core banking application servers. Unauthenticated devices cannot reach any internal system; they land in a quarantine VLAN with no internal routing.
Guest Wi-Fi runs on a completely isolated SSID with no access to internal networks, enforced at the wireless controller level.
ATMs typically run embedded operating systems that cannot run an 802.1X supplicant. MAB is used: each ATM's MAC address is pre-registered in RADIUS and mapped to a restricted VLAN that permits traffic only to the designated payment processing server and ATM management system. No lateral movement is possible from the ATM VLAN. This approach directly narrows the PCI DSS scope by isolating cardholder data flows.
IP phones are authenticated via 802.1X where vendor firmware supports it (most modern SIP phones do), or via MAB for legacy hardware. They are placed in a dedicated voice VLAN separate from data traffic. IP cameras are handled via MAB and placed in a surveillance VLAN with no access to financial systems.
Contractors may be issued short-lived certificates for 802.1X access, or temporary MAB entries with time-bound RADIUS session policies. CoA can revoke or change VLAN assignment mid-session if the contractor's device fails a posture check (antivirus out of date, unauthorized software, etc.).
See how IO by HFCL implements these controls across banking networks with centralized policy enforcement, secure branch connectivity, and compliance-ready switching.
802.1X is an IEEE standard that requires every device to prove its identity before a network switch or access point allows regular traffic. In banking, it ensures only authorized, policy-compliant devices can reach core systems, payment networks, and cardholder data environments.
802.1X authenticates devices using cryptographic credentials (certificates or username/password via EAP) β it is strong and resistant to spoofing. MAC Authentication Bypass (MAB) identifies devices by their hardware MAC address, which is weaker because MAC addresses can be spoofed. Banks use 802.1X as the primary method and MAB only for legacy devices that cannot support 802.1X.
EAP-TLS (certificate-based mutual authentication) is the strongest and most recommended method for BFSI environments. It eliminates password risk, supports automated certificate management, and aligns with Zero Trust principles. PEAP-MSCHAPv2 is acceptable for environments already using Active Directory, but carries higher risk if credentials are compromised.
802.1X enforces "never trust, always verify" at the network port level. Every device must authenticate before receiving any access. RADIUS assigns minimum-necessary access (VLAN + ACL) based on device identity and role. Change of Authorization (CoA) allows policies to be revoked or changed mid-session based on posture changes, a core Zero Trust capability.
The switch moves the port to a quarantine VLAN (or blocks it entirely, depending on policy). The device cannot reach any internal banking system. An alert is generated in the SIEM. IT support must investigate and remediate before the device is granted access. This prevents any unauthorized device from lateral movement even if it reaches a physical port.
Most ATMs use MAC Authentication Bypass (MAB) because ATM embedded software does not support 802.1X supplicants. The ATM's MAC address is registered in the RADIUS server and mapped to a restricted VLAN that allows traffic only to the payment processing server and ATM management infrastructure. This isolates the ATM from all other network segments and minimizes PCI DSS scope.
