NAC (Network Access Control)
Definition
NAC (Network Access Control) is a security solution that enforces policy on devices attempting to access a network. It controls who and what can connect, where they can connect, and what resources they can access based on identity, device posture, and context.
NAC is a core component of Zero Trust architecture, ensuring only authorized, compliant devices gain network access.
NAC Components
| Component |
Description |
| Policy Engine |
Makes access decisions based on policy rules |
| Authentication |
Verifies identity (802.1X, MAB, web auth) |
| Device Profiling |
Identifies device type (BYOD, IoT, server) |
| Compliance Check |
Verifies device health (antivirus, patches, encryption) |
| Enforcement Point |
Network devices that enforce access (switches, WLC, firewall) |
| Directory Integration |
Connects to LDAP/Active Directory for user/device info |
NAC Authentication Methods
| Method |
Description |
Use Case |
| 802.1X |
Port-based network access control (EAP) |
Corporate devices, high security |
| MAB (MAC Authentication Bypass) |
Authenticate by MAC address |
IoT, printers, IP phones |
| Web Auth (Captive Portal) |
Browser-based login form |
Guest Wi-Fi, BYOD |
| VPN |
VPN credentials for remote access |
Remote workers |
| SSO |
Single sign-on integration |
Enterprise SSO integration |
NAC Architecture
Device ───▶ Switch/WLC/Firewall (Enforcement Point) ───▶ Policy Server
│ │
│ 802.1X / MAB / Web Auth │
│ │
▼ ▼
Directory (LDAP/AD) Policy Engine
(user/device info) (access rules)
NAC Enforcement Actions
| Action |
Description |
| Allow full access |
Device is compliant, grant full network access |
| Allow limited access |
Device is partially compliant, restricted VLAN |
| Quarantine |
Device sent to remediation VLAN |
| Deny |
Device not authorized, blocked entirely |
| Redirect |
Send to captive portal or remediation page |
NAC vs Firewall
| Feature |
NAC |
Firewall |
| Scope |
Device-level (who/what connects) |
Traffic-level (what flows) |
| Layer |
L2/L3 (port-based) |
L3/L4+ (packet-based) |
| Enforcement |
Network port/VLAN |
Packet filtering |
| Device profiling |
Yes |
No |
| Compliance checking |
Yes |
No |
| Use case |
Onboarding, access control |
Traffic filtering, protection |
NAC in Zero Trust
| Zero Trust Principle |
NAC Contribution |
| Verify explicitly |
NAC authenticates every device |
| Least privilege |
NAC assigns minimum-access VLANs |
| Assume breach |
NAC isolates compromised devices |
| Device trust |
NAC profiles and validates devices |
| Context-aware |
NAC uses location, time, device type |
NAC Solutions
| Solution |
Type |
Notes |
| Cisco ISE |
Enterprise |
Market leader, comprehensive |
| Aruba ClearPass |
Enterprise |
Strong Wi-Fi integration |
| Fortinet NAC |
Mid-market |
Integrated with FortiGate |
| OpenNAC |
Open-source |
Community-driven |
| Unifi NAC |
SMB |
Integrated with Unifi ecosystem |
| WPA2-Enterprise |
Wi-Fi only |
802.1X for Wi-Fi |
NAC Implementation Steps
- Inventory devices — identify all device types on network
- Define policies — who gets access to what
- Deploy authentication — 802.1X, MAB, or web auth
- Configure enforcement — VLANs, ACLs, quarantine
- Integrate directory — LDAP/AD for user/device info
- Monitor and tune — adjust policies based on usage
- Zero Trust — NAC authentication standard
- Firewall — NAC controls access; firewall controls traffic
- Vlan — NAC integrates with IAM for identity
- VPN — NAC can enforce VPN access policies
References
