Comprehensive and Detailed Explanation From Exact Extract:
RADIUS (Remote Authentication Dial-In User Service) is the best-fit protocol for this requirement. It supports both authentication and authorization and is widely used in Wi-Fi network environments for client device authentication using credentials stored in centralized directories such as Active Directory.
RADIUS integrates seamlessly with enterprise authentication sources and supports EAP (Extensible Authentication Protocol), making it compatible with Wi-Fi-based client devices. It also allows for role-based access control, enabling policy enforcement specific to device types (e.g., inventory scanners).
Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — “Authentication and Authorization Technologies”:
“RADIUS provides centralized authentication, authorization, and accounting (AAA) services and is commonly used for securing wireless access in conjunction with Active Directory.”
“Organizations use RADIUS to manage Wi-Fi authentication for user devices and enforce security policies during access attempts.”
Using a RADIUS server with 802.1X on the Wi-Fi infrastructure allows the scanners (and their users) to be authenticated against Active Directory and mapped to the correct authorization policies. TACACS+ is geared toward device management, LDAP alone doesn’t handle the Wi-Fi 802.1X handshake, and PKI by itself wouldn’t provide the user-to-device authorization flow needed. RADIUS gives you both authentication and authorization tied into AD.
