Network Access Control

Network Access Control (NAC)

  • Primary purpose: Control and monitor network access by validating device compliance and user credentials before granting network connectivity
  • Core function: Acts as a security gatekeeper that enforces policies at the network edge (switches, wireless controllers, VPN concentrators)
  • Implementation model: Combines authentication, authorization, and endpoint compliance checking in a single framework

Key Components

  • Policy Decision Point (PDP): Central server that makes access control decisions based on configured policies
  • Policy Enforcement Point (PEP): Network devices (switches, APs, firewalls) that enforce the decisions made by PDP
  • Policy Information Point (PIP): External systems providing additional context (AD, vulnerability scanners, asset management)
  • Endpoint agents: Software installed on devices to report compliance status and remediate issues

Authentication Methods

  • 802.1X: Most common enterprise method - port-based authentication using EAP (Extensible Authentication Protocol)
  • MAC Authentication Bypass (MAB): Uses device MAC address when 802.1X isn’t supported (printers, IoT devices)
  • Web Authentication (WebAuth): Browser-based login portal for guest access or non-802.1X capable devices
  • Certificate-based: Uses digital certificates for device identification (highest security, complex deployment)
Method Use Case Security Level Deployment Complexity
802.1X Corporate endpoints High Medium-High
MAB IoT/Legacy devices Low-Medium Low
WebAuth Guest networks Medium Low-Medium
Certificates High-security environments Very High High

Compliance Checking

  • Posture assessment: Evaluates endpoint security status (antivirus, patches, firewall status)
  • Device profiling: Automatically identifies device types based on DHCP fingerprints, HTTP headers, SNMP queries
  • Vulnerability scanning: Checks for known security weaknesses and misconfigurations
  • Policy enforcement: Applies appropriate network access based on compliance results

Network Segmentation Responses

  • Full access: Compliant devices get unrestricted network access
  • Limited access: Partial connectivity with restricted resources (quarantine VLAN)
  • Remediation network: Isolated segment allowing access only to patch servers and security tools
  • Blocked access: Complete network denial for non-compliant or unknown devices

Deployment Models

Inline Mode

  • NAC device sits directly in network path between endpoints and network resources
  • Advantage: Can block traffic immediately, complete visibility
  • Disadvantage: Single point of failure, potential performance bottleneck
  • Best for: High-security environments requiring absolute control

Out-of-Band Mode

  • NAC communicates with network infrastructure via management protocols (SNMP, APIs)
  • Advantage: No impact on network performance, easier deployment
  • Disadvantage: Relies on network device cooperation, potential bypass methods
  • Best for: Large enterprise networks with modern infrastructure

Integration Points

  • Switch integration: Uses 802.1X, dynamic VLAN assignment, and ACL application
  • Wireless integration: Leverages WLC (Wireless LAN Controller) for policy enforcement
  • VPN integration: Controls remote access based on device compliance and user credentials
  • DHCP integration: Can withhold IP addresses or assign specific subnets based on compliance
Integration Type Control Method Response Time Scalability
Switch (802.1X) Port control Immediate High
DHCP IP assignment DHCP renewal Medium
DNS Resolution blocking Per query High
Firewall Traffic filtering Real-time Medium-High

Common Protocols and Standards

RADIUS Integration

  • NAC solutions typically integrate with RADIUS for authentication and authorization
  • Change of Authorization (CoA): RFC 3576 - allows dynamic session changes without re-authentication
  • Disconnect messages: Immediately terminates user sessions when compliance changes
  • Vendor-Specific Attributes (VSAs): Carry NAC-specific policy information between components

SNMP for Device Management

  • Device discovery: Uses SNMP queries to identify and profile network-connected devices
  • Switch port control: Enables/disables switch ports based on policy decisions
  • VLAN assignment: Dynamically moves devices between network segments
  • Monitoring: Continuous compliance checking through SNMP polling

Notes

Implementation Considerations

  • Start with monitoring mode before enabling enforcement to understand network behavior and device types
  • Plan for exceptions: IoT devices, printers, and legacy systems often require MAB or static assignments
  • Network design impact: Requires proper VLAN design and routing to support segmentation strategies
  • Performance planning: Inline deployments need sizing for peak authentication loads (Monday morning, after outages)

Common Deployment Challenges

  • Certificate management: PKI infrastructure required for certificate-based authentication adds complexity
  • Guest network integration: Balance between security and user experience for temporary access
  • Bring Your Own Device (BYOD): Personal devices may have limited agent support or compliance capabilities
  • Legacy device support: Older equipment may not support modern authentication methods

Troubleshooting Tips

  • Authentication failures: Check RADIUS logs, certificate validity, and network connectivity to authentication servers
  • Policy application: Verify VLAN assignments and ACL application on network devices
  • Performance issues: Monitor authentication server load and network device CPU utilization during peak times
  • Use show authentication sessions on Cisco switches to verify 802.1X session status and applied policies