You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Network Access Control (NAC) is the security discipline that determines which devices and users are allowed to connect to the network and what level of access they receive. It enforces security policies at the point of connection — before a device can send or receive any data.
Without NAC, any device plugged into a network port or connecting to Wi-Fi gains immediate access:
| Risk Without NAC | Consequence |
|---|---|
| Rogue devices connect freely | Attackers plug in a laptop and access the network |
| Unpatched devices join the network | Vulnerable systems introduce risk to the entire network |
| No visibility into connected devices | Cannot inventory or monitor what is on the network |
| BYOD devices uncontrolled | Personal devices may carry malware |
| Compliance failures | Cannot demonstrate device-level access controls |
NAC evaluates devices and users at the time of connection and applies policies based on the results:
Device connects to network port or Wi-Fi
│
▼
[NAC Policy Engine]
│
├── Who is the user? (Authentication)
├── What is the device? (Profiling)
├── Is it healthy? (Posture Assessment)
├── What policy applies? (Authorisation)
│
▼
[Decision]
│
├── Full Access: Meets all requirements
├── Limited Access: Partial compliance (quarantine VLAN)
└── Denied: Failed authentication or policy
IEEE 802.1X is the standard for port-based network access control. It authenticates devices before they are granted access to the network.
| Component | Role | Example |
|---|---|---|
| Supplicant | The device requesting access | Laptop, phone, printer |
| Authenticator | The network device that controls port access | Switch, wireless access point |
| Authentication Server | Validates credentials and returns access policy | RADIUS server (FreeRADIUS, Cisco ISE, Microsoft NPS) |
[Supplicant] [Authenticator] [RADIUS Server]
│ │ │
│── EAP-Start ────────▶│ │
│ │── Access-Request ─────▶│
│ │ │
│◀── EAP-Challenge ───│◀── Access-Challenge ───│
│ │ │
│── EAP-Response ─────▶│── Access-Request ─────▶│
│ │ │
│ │◀── Access-Accept ──────│
│◀── Port Opened ──────│ │
│ │ │
│ (Network access granted with assigned VLAN) │
| Method | Description | Security |
|---|---|---|
| EAP-TLS | Certificate-based mutual authentication | Strongest — requires PKI |
| EAP-PEAP | Protected EAP with server certificate and inner authentication | Strong — common in enterprises |
| EAP-TTLS | Tunnelled TLS — similar to PEAP with more flexibility | Strong |
| EAP-FAST | Flexible Authentication via Secure Tunnelling (Cisco) | Strong — no PKI required |
| EAP-MD5 | Simple challenge-response | Weak — do not use |
Posture assessment checks the health of a device before granting full access:
| Check | What It Verifies |
|---|---|
| Antivirus status | Is AV installed, running, and updated? |
| OS patch level | Are critical patches applied? |
| Host firewall | Is the host firewall enabled? |
| Disk encryption | Is full disk encryption active? |
| Domain membership | Is the device joined to the corporate domain? |
| Prohibited software | Are any banned applications installed? |
| Certificate validity | Does the device have a valid machine certificate? |
Device connects
│
▼
[Posture Check]
│
├── PASS → Full network access (production VLAN)
│
└── FAIL → Quarantine VLAN
│
▼
[Remediation Portal]
│
├── Install missing patches
├── Update antivirus
├── Enable firewall
│
▼
[Re-check → PASS → Full access]
NAC policies determine the level of access based on authentication and posture results:
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.