An organization wants to prevent unauthorized devices from connecting to its wired network. Which security control should be implemented?
802.1X authenticates devices at the port level before allowing network access.
Why this answer
IEEE 802.1X port-based authentication is the correct control because it authenticates each device at the network edge before granting access to the wired LAN. It uses an authentication server (e.g., RADIUS) to verify credentials or certificates, effectively preventing unauthorized devices from connecting. Unlike MAC-based controls, 802.1X provides dynamic, per-session authentication that cannot be easily spoofed.
Exam trap
ISC2 often tests the misconception that MAC-based controls (port security or MAC filtering) provide strong authentication, when in fact they are easily bypassed by MAC spoofing, whereas 802.1X uses cryptographic credentials or certificates for true device authentication.
How to eliminate wrong answers
Option A is wrong because port security with sticky MAC only learns and limits MAC addresses on a switch port, but it does not authenticate the device; an attacker can spoof a learned MAC address to bypass the control. Option B is wrong because MAC address filtering is a static, easily spoofed control that only checks the source MAC at Layer 2, offering no authentication or encryption. Option C is wrong because VLAN segmentation separates traffic logically but does not prevent unauthorized devices from physically connecting to the network; it only limits their broadcast domain.