Back to All Scenarios
PASSEDnetwork / dot1x_mab_iot_lockout
802.1X MAB Failure — IoT Devices Locked Out
A RADIUS policy change breaks MAC Authentication Bypass (MAB) for IoT devices. Security cameras, badge readers, and building management sensors are all locked out of the network as they cannot perform 802.1X EAP authentication.
Pattern
ACTIVE_DIRECTORY
Severity
CRITICAL
Confidence
92%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | ACTIVE_DIRECTORY | ACTIVE_DIRECTORY | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 13 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
802.1X deployment with MAB fallback for IoT. RADIUS policy updated to require EAP-TLS for all authentications. 150 IoT devices using MAB (cameras, badge readers, sensors). MAB fallback disabled by policy change. All IoT devices placed in restricted VLAN.
Injected Error Messages (2)
802.1X MAB authentication failing for IoT fleet — active directory RADIUS policy rejecting MAC authentication bypass requests, 150 IoT devices locked out after policy change requiring EAP-TLS, active directory event log showing 150 failed authentications per minute from IoT MAC addresses, MAB fallback disabled in updated policy
Security camera system offline — 85 IP cameras placed in restricted VLAN after 802.1X MAB rejection, active directory integrated NAC policy blocking non-EAP authenticated devices, badge readers and building sensors also affected, physical security monitoring compromised
Neural Engine Root Cause Analysis
The NAC Policy Server failure is caused by a misconfigured Active Directory RADIUS policy that was recently updated to require EAP-TLS authentication, breaking MAC Authentication Bypass (MAB) for 150 IoT devices that cannot support certificate-based authentication. The policy change disabled MAB fallback, causing all IoT devices to be locked out as they attempt to authenticate using MAC addresses but are rejected by the new EAP-TLS requirement. This is generating 150 failed authentication attempts per minute and creating a cascade effect across network access infrastructure.
Remediation Plan
1. Immediately revert the Active Directory RADIUS policy to re-enable MAB fallback for IoT device authentication 2. Create a separate network access policy specifically for IoT devices that allows MAC-based authentication 3. Configure device grouping in AD to distinguish between user devices (requiring EAP-TLS) and IoT devices (allowing MAB) 4. Test authentication for a subset of IoT devices before full deployment 5. Gradually migrate IoT devices to certificate-based authentication if security requirements mandate it, ensuring proper certificate provisioning first
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmnck2xma06ccobqe5ay3gksi