Network Access Control (NAC) Explained: Who Gets On Your Network?
Every device that connects to your network is a potential risk. Network Access Control (NAC) enforces policies that determine who and what is allowed onto your wired and wireless infrastructure, checking identity and device health before granting access. This guide explains how NAC works, the standards behind it, deployment approaches, and the leading vendor solutions available today.
What Is Network Access Control?
Network Access Control (NAC) is a security approach that enforces policy-based decisions about which users and devices are permitted to connect to a network and what resources they can reach once connected. Rather than treating your LAN as a trusted zone where any plugged-in device has free rein, NAC treats every connection attempt as something that must be authenticated, assessed, and authorised before traffic is allowed to flow.
At its core, NAC answers three questions: Who are you? (identity), What is your device? (profiling), and Is your device healthy? (posture assessment). Depending on the answers, the NAC system may grant full access, place the device into a restricted VLAN, redirect it to a remediation portal, or deny access entirely.
How NAC Works: 802.1X and RADIUS
The most common NAC framework relies on the IEEE 802.1X standard. In this model, three roles interact: the supplicant (the client device requesting access), the authenticator (the network switch or wireless access point that controls the port), and the authentication server (typically a RADIUS server). When a device plugs into a switch port or associates with an SSID, the authenticator holds the port in an unauthorised state and initiates an EAP (Extensible Authentication Protocol) exchange. The supplicant provides credentials — a username and password, a certificate, or machine credentials joined to Active Directory. The RADIUS server validates these against a directory such as Active Directory or LDAP, then returns an Access-Accept or Access-Reject. Along with the accept, it can push VLAN assignments, downloadable ACLs, or Security Group Tags (SGTs) to the switch, dynamically controlling what the device can reach.
Pre-Admission vs Post-Admission NAC
Pre-admission NAC evaluates a device before it is granted any network access. The device must authenticate and pass posture checks — such as having an up-to-date antivirus definition, a supported operating system version, or an active host firewall — before it receives an IP address on the production network. Devices that fail are placed into a quarantine or remediation VLAN where they can download patches or updates but cannot reach sensitive resources.
Post-admission NAC continues to monitor devices after they have been admitted. If a device's posture changes — for instance, the user disables their antivirus or the device begins exhibiting suspicious behaviour — the NAC system can dynamically change the access policy, move the device to a restricted VLAN, or disconnect it entirely. Post-admission controls are essential for maintaining security throughout the duration of a session, not just at the point of entry.
Agent-Based vs Agentless NAC
Agent-based NAC requires a software agent installed on the endpoint. This agent reports detailed posture information — installed software, patch level, running processes, registry keys, disk encryption status — back to the NAC server. Agents provide the richest visibility but require deployment and maintenance across every managed device. Persistent agents remain installed, while dissolvable agents run temporarily (often via a captive portal download) and remove themselves after the session.
Agentless NAC uses network-level techniques to profile and assess devices without installing software. Methods include DHCP fingerprinting, SNMP queries, HTTP user-agent analysis, NetFlow data, and active scanning (e.g. Nmap or WMI queries). Agentless approaches are essential for devices that cannot run agents — printers, IP cameras, building management controllers, and other IoT equipment. The trade-off is less granular posture data compared to a full agent.
MAC Authentication Bypass (MAB)
Many devices on a network — printers, VoIP phones, security cameras, medical equipment — lack an 802.1X supplicant and cannot participate in EAP authentication. For these devices, MAC Authentication Bypass (MAB) is used as a fallback. The switch detects that the device is not responding to EAP requests and instead sends the device's MAC address to the RADIUS server as both the username and password. The server matches the MAC against a whitelist and assigns an appropriate VLAN and policy.
MAB is less secure than 802.1X because MAC addresses can be spoofed. Always combine MAB with device profiling to verify that the device behind a MAC address is genuinely the type of device expected (e.g. confirming a MAC registered as a printer actually behaves like a printer on the network).
Common NAC Use Cases
NAC is not a single-purpose tool — it addresses a broad range of access control scenarios. Guest access is one of the most common: visitors connect to a guest SSID, are redirected to a captive portal to accept terms or enter a sponsor-approved code, and are placed on an isolated VLAN with internet-only access. Contractor and BYOD devices can be profiled and given limited access to only the resources they need, even if they are not domain-joined. IoT quarantine ensures that devices like smart TVs, building sensors, and IP cameras are segmented away from the corporate network. And compliance enforcement ensures that every endpoint connecting to the network meets minimum security standards before being allowed onto production VLANs.
NAC Deployment Approaches Compared
NAC Deployment Approaches
| Feature | 802.1X (Full) | MAB Only | Hybrid (802.1X + MAB) | Inline Appliance |
|---|---|---|---|---|
| Authentication strength | Strong (certificate/credential) | Weak (MAC address) | Strong for capable devices, fallback for others | Varies by configuration |
| Endpoint agent required | Supplicant required | No | Where possible | No |
| IoT device support | Poor (no supplicant) | Good | Good (MAB fallback) | Good |
| Switch compatibility | Must support 802.1X | Most managed switches | Must support 802.1X | Vendor-specific appliance |
| Deployment complexity | High | Low | Medium–High | Medium |
| Best suited for | Fully managed environments | IoT-heavy networks | Mixed enterprise environments | Networks with legacy switches |
Leading NAC Vendor Solutions
Cisco Identity Services Engine (ISE) is the market leader and integrates tightly with Cisco switching and wireless infrastructure. It provides 802.1X, profiling, posture assessment, guest portals, and TrustSec Security Group Tags for software-defined segmentation. ISE is powerful but comes with significant licensing costs and complexity.
Aruba ClearPass from HPE is a strong alternative, particularly in multi-vendor environments. ClearPass works with switches and access points from any manufacturer and provides excellent profiling, guest access, and policy management. Fortinet FortiNAC is tightly integrated with the FortiGate firewall ecosystem and appeals to organisations already invested in the Fortinet Security Fabric. For budget-conscious deployments, PacketFence is a mature open-source NAC solution that supports 802.1X, captive portals, device profiling, and VLAN enforcement without commercial licensing fees.
Integration with Directory Services
A NAC solution is only as effective as the identity source it relies on. Most deployments integrate with Microsoft Active Directory or an LDAP directory to authenticate users and check group memberships. This allows policies such as "members of the Finance group are placed on VLAN 20 with access to the finance file server, while members of the Guest group are isolated on VLAN 99 with internet-only access." Certificate-based authentication (EAP-TLS) using an internal PKI provides the strongest authentication, as it validates both the user and the machine identity without transmitting passwords over the wire.
Frequently Asked Questions
Yes. A firewall controls traffic between network zones, but it does not control which devices are allowed to connect to the network in the first place. NAC and firewalls are complementary — NAC handles admission control and segmentation at the access layer, while the firewall enforces policy at the perimeter and between zones.
NAC can profile BYOD devices and place them on a restricted VLAN with limited access. Many solutions offer a self-registration portal where employees register their personal devices, which are then fingerprinted and assigned an appropriate policy. Dissolvable agents can perform a one-time posture check without permanently installing software on the personal device.
Full 802.1X deployment can be complex, particularly in environments with legacy switches or a large number of IoT devices. Most organisations adopt a phased approach: start in monitor mode (authenticate but do not enforce), profile all devices, build policies, and then gradually enable enforcement on a VLAN-by-VLAN or switch-by-switch basis. This reduces the risk of locking out legitimate devices.
Yes. Many cloud-managed switching platforms (such as Cisco Meraki and Aruba Central) support 802.1X and RADIUS authentication. The NAC policy server still runs on-premises or in the cloud, and the cloud-managed switches act as authenticators in the same way traditional switches do.
Most switches can be configured with a critical VLAN or inaccessible authentication bypass policy. If the RADIUS server is unreachable, new connections are placed into a predefined VLAN with limited access rather than being denied entirely. Deploying redundant RADIUS servers (primary and secondary) is strongly recommended for production environments.
