--- name: network-access-control description: Implement and manage Network Access Control (NAC) solutions to enforce authentication, authorization, and policy compliance for devices connecting to the network. Use when deploying NAC solutions, configuring 802.1X authentication, managing guest network access, enforcing device compliance before network admission, segmenting networks by device type, or auditing network access policies. Triggers on phrases like "NAC", "network access control", "802.1X", "port security", "guest network", "device admission", "network segmentation", "MAC authentication", "certificate authentication", "Cisco ISE", "ClearPass", "network policy enforcement", "BYOD network access". --- # Network Access Control (NAC) Enforce network admission policies ensuring only authorized, compliant devices connect to the network with appropriate access levels based on identity, device type, and compliance status. ## Workflow 1. Assess current network access posture: inventory all network connection points (wired ports, wireless APs, IoT connections, guest access); identify security gaps and unauthorized access risks. 2. Select NAC solution based on environment: Cisco ISE (enterprise), Aruba ClearPass (multi-vendor), ForeScout (multi-vendor), Juniper Apstra (data center), open-source alternatives (FreeRADIUS + custom policies). 3. Design authentication methods: 802.1X (wired/wireless), MAC authentication (fallback for non-802.1X devices), certificate-based authentication, web authentication (guest/captive portal), MAB (MAC Authentication Bypass). 4. Define network access policies: role-based access (employee, contractor, guest, IoT, printer, server); VLAN assignment based on identity and device type; ACL enforcement for segment isolation. 5. Implement device profiling: automated device identification (DHCP fingerprint, HTTP user-agent, DNS queries, LLDP/CDP, 802.1X identity); classify devices (laptop, phone, IoT, printer, server); assign appropriate policies. 6. Configure posture validation: check device compliance before granting full access (antivirus installed and updated, OS patched, encryption enabled, no jailbreak/root); quarantine non-compliant devices to remediation VLAN. 7. Deploy guest access framework: captive portal with terms acceptance; time-limited credentials; bandwidth throttling; internet-only access (no internal network); sponsor approval workflow for business guests. 8. Integrate with identity systems: Active Directory, Okta, Azure AD, LDAP, RADIUS servers; SSO integration; certificate management (PKI); automated provisioning/deprovisioning. 9. Monitor and audit: real-time network access dashboard; unauthorized device alerts; policy violation logging; monthly access audit reports; compliance reporting. 10. Conduct quarterly policy review: access policy effectiveness; unused access revocation; device profile accuracy; incident response for network access violations. ## NAC Architecture and Authentication ``` NAC AUTHENTICATION METHODS ============================= 802.1X AUTHENTICATION (Recommended for Managed Devices): Protocol: IEEE 802.1X port-based network access control Components: → Supplicant: Client device software (built into Windows, macOS, Linux, iOS, Android) → Authenticator: Network device (switch, wireless AP) enforcing 802.1X → Authentication Server: RADIUS server (Cisco ISE, ClearPass, FreeRADIUS) EAP Methods: → EAP-TLS (Mutual TLS): ✓ Highest security (certificate-based, mutual authentication) ✓ Both client and server present certificates ✓ No passwords to compromise ✓ Industry best practice for enterprise networks → Client certificate issued per device (or per user+device) → Certificate lifecycle management: enrollment, renewal, revocation (CRL/OCSP) → PEAP-MSCHAPv2 (Protected EAP): ✓ Username/password authentication within TLS tunnel ✓ Server certificate validated by client ✓ Easier deployment than EAP-TLS (no client certificates) ⚠ Server-only authentication (client identity based on password) → Widely deployed; good balance of security and usability → Certificate required on RADIUS server only → EAP-TTLS (Tunneled TLS): ✓ Similar to PEAP but more flexible inner authentication methods ✓ Supports PAP, CHAP, MS-CHAP, Kerberos within tunnel ✓ Good for Linux environments and multi-vendor setups Deployment: → Wired: 802.1X on all switch ports; fallback to guest VLAN on failure → Wireless: WPA2/WPA3-Enterprise with 802.1X → New ports: 802.1X enabled by default; disable only with documented exception → Monitoring: MACsec (802.1AE) for link-layer encryption post-authentication MAC AUTHENTICATION BYPASS (MAB — For Non-802.1X Devices): Use cases: Printers, IoT devices, IP phones, conference room displays Process: → Device does not support 802.1X (no supplicant software) → Switch detects MAC address on port → Switch sends MAC as RADIUS username/password → RADIUS server looks up MAC in database → Policy: Grant access to appropriate VLAN based on MAC registration Security considerations: ⚠ MAC address spoofing possible (lower security than 802.1X) → Only use for pre-registered, inventoried devices → MAC address database maintained by IT (no self-registration) → Combine with device profiling for validation → Segment MAB devices to restricted VLANs WEB AUTHENTICATION (Captive Portal — For Guests): Use cases: Guest Wi-Fi, contractor temporary access, cafeteria/lobby networks Process: → Device connects to guest SSID / guest VLAN → HTTP request redirected to captive portal → User accepts terms of use / enters credentials / sponsors approves → RADIUS server grants access with time/bandwidth limits → Session terminated on timeout, logout, or policy violation Variations: → Open portal: Accept terms → access granted (lowest security) → Social login: Authenticate via Google/Facebook/LinkedIn → Sponsor approval: Employee sponsors guest → IT approves → access granted → Voucher-based: Pre-generated vouchers (events, conferences) → SSO integration: Guest authenticates via corporate SSO (contractors) CERTIFICATE-BASED AUTHENTICATION (For IoT and Machine-to-Machine): Use cases: IoT devices, servers, network equipment, machine identities Process: → Each device has unique certificate issued by internal PKI → Certificate includes device identity and authorized access profile → Device presents certificate during 802.1X or TLS handshake → Certificate validated against CA and CRL/OCSP → Access granted based on certificate attributes and policy PKI Management: → Internal certificate authority (Microsoft AD CS, HashiCorp Vault, Venafi) → Automated certificate enrollment (EST protocol — Enrollment over Secure Transport) → Automated renewal (30-day advance notification; auto-renewal) → Revocation management (CRL distribution; OCSP responders) ``` ## Network Access Policies ``` NETWORK ACCESS POLICY MATRIX ============================== EMPLOYEE DEVICES (Corporate-Owned): Authentication: 802.1X EAP-TLS (device certificate) or PEAP-MSCHAPv2 (user credentials) VLAN Assignment: Corporate VLAN (full internal network access) Access Level: → Internet: Full access (with web filtering for acceptable use) → Internal applications: Full access (ERP, CRM, email, file shares) → Management networks: Restricted (only IT team devices via ACL) → Wireless: Corporate SSID with WPA2/WPA3-Enterprise Posture Requirements: → Antivirus/EDR: Installed and updated (last check-in < 24 hours) → OS patches: Current within 30 days of latest release → Encryption: Full disk encryption enabled → Firewall: Enabled and configured per baseline → Result: Full access if compliant; quarantine VLAN if non-compliant EMPLOYEE DEVICES (BYOD): Authentication: 802.1X PEAP-MSCHAPv2 (user credentials) or separate BYOD SSID VLAN Assignment: BYOD VLAN (segmented from corporate VLAN) Access Level: → Internet: Full access (with web filtering) → Internal applications: Web-based applications only (no file shares, no management) → Management networks: No access → Wireless: BYOD SSID with WPA2/WPA3-Enterprise Posture Requirements: → MDM enrolled: Device managed by MDM solution (Jamf, Intune, Workspace ONE) → Passcode: Required (enforced by MDM) → Encryption: Required (enforced by MDM) → Jailbreak/root: Not allowed (device blocked if detected) Segmentation: Micro-segmentation from corporate VLAN (ACLs restrict lateral movement) CONTRACTOR DEVICES: Authentication: Web authentication (sponsor approval) or temporary 802.1X credentials VLAN Assignment: Contractor VLAN (highly restricted) Access Level: → Internet: Full access (with web filtering) → Internal applications: Specific applications only (defined by sponsor) → Management networks: No access → Wireless: Contractor SSID Duration: Time-limited (expires on contract end date) Monitoring: Enhanced logging and monitoring on contractor VLAN Offboarding: Access revoked immediately upon contract termination (automated via HR system) GUEST ACCESS: Authentication: Web captive portal (terms acceptance + email) VLAN Assignment: Guest VLAN (completely isolated) Access Level: → Internet: Full access (with web filtering: no adult content, no malware sites) → Internal network: NO access (complete isolation via firewall rules) → Guest-to-guest: Isolated (AP client isolation enabled; guests cannot see each other) Duration: Time-limited sessions (8 hours default; extendable) Bandwidth: Throttled (e.g., 10 Mbps download, 5 Mbps upload per device) Terms: Acceptable use policy; no internal network access; no illegal activity IoT DEVICES: Authentication: MAB (MAC Authentication Bypass) with pre-registered MAC address VLAN Assignment: IoT VLAN (isolated from all other VLANs) Access Level: → Internet: Specific destinations only (cloud services required by device) → Internal network: Specific servers only (defined by device requirements) → Management networks: No access → Device-to-device: Restricted (only communicate with required services) Segmentation: Strict micro-segmentation (ACLs allow only required traffic flows) Monitoring: Enhanced monitoring for anomalous behavior (IoT devices often targeted) PRINTERS AND PERIPHERALS: Authentication: MAB with pre-registered MAC address VLAN Assignment: Printer VLAN (isolated) Access Level: → Print services: Access from corporate and BYOD VLANs (ACL permits) → Internet: No access (printers should not access internet) → Management: Access from IT management VLAN only (for firmware updates) SERVERS: Authentication: 802.1X EAP-TLS (server certificate) or port security (static MAC binding) VLAN Assignment: Server VLAN (isolated with specific ACLs) Access Level: → Application traffic: Defined by service requirements (ACL-based) → Management: Access from IT management VLAN only (SSH, RDP, SNMP) → Internet: Egress only for updates (if required); no inbound from internet Monitoring: Full port mirroring to IDS/IPS; enhanced logging IoT / MEDICAL DEVICES / OT EQUIPMENT: Authentication: MAB with documented, approved MAC address VLAN Assignment: Dedicated OT/Medical VLAN (air-gapped from corporate where possible) Access Level: → Strictly defined by device requirements (minimal necessary access) → No internet access unless specifically required (and approved) → No lateral movement to other network segments Special considerations: → NAC agent installation may not be possible (no OS, proprietary firmware) → Physical port security (lock down unused ports) → Network segmentation as primary control (defense in depth) ``` ## NAC Vendor Solutions ``` NAC VENDOR COMPARISON ======================== CISCO ISE (Identity Services Engine): Capabilities: → 802.1X, MAB, web authentication → Advanced device profiling (50+ profiling probes) → Posture validation (agent-based and agentless) → Guest portal (self-register, sponsor-approved, certificate-based) → Policy management (visual policy builder) → Monitoring and troubleshooting (live alerts, session details) → PXE support (network boot for imaging) → SXP (Security Group Tag exchange for micro-segmentation) Integrations: Cisco switches, wireless controllers, firewall (ISE integrates with Cisco ecosystem); Active Directory, LDAP, Okta, Azure AD; SIEM (Splunk, QRadar) Pricing: $15,000-$50,000+ per policy service node + per-device licensing ($3-$8/device/year) Best for: Cisco-heavy environments; enterprise-scale deployments; organizations wanting integrated Cisco security ecosystem ARUBA CLEARPASS: Capabilities: → 802.1X, MAB, web authentication → Device insight (profiling with ML-enhanced classification) → Health policies (posture validation) → Guest management (multiple portal types) → Policy manager (visual policy builder) → Multi-tenant support (service provider deployments) → Open API for integrations Integrations: Multi-vendor (Aruba, Cisco, Juniper, Panasonic, Ruckus); Active Directory, LDAP, Okta, Azure AD, Salesforce; SIEM integrations Pricing: $15,000-$40,000 per enforcer + per-device licensing ($2-$6/device/year) Best for: Multi-vendor network environments; organizations wanting vendor-neutral NAC; service provider deployments FORESCOUT COUNTERACT: Capabilities: → Multi-vendor NAC (strongest multi-vendor support) → Device profiling and fingerprinting → Policy enforcement across wired, wireless, VPN → Asset management and vulnerability correlation → Compliance monitoring (PCI-DSS, HIPAA, SOX) → Bot detection and IoT security → Network segmentation Integrations: 400+ network device types; Active Directory, LDAP, Okta; vulnerability scanners (Qualys, Tenable); SIEM platforms Pricing: Custom pricing (contact vendor); typically $20,000-$60,000+ based on environment Best for: Highly heterogeneous network environments; regulated industries requiring compliance reporting; organizations with diverse IoT/OT devices FREE RADIUS (Open-Source): Capabilities: → 802.1X authentication (RADIUS protocol) → Custom policy implementation (Lua scripting) → Database-backed user management (MySQL, PostgreSQL) → Accounting and logging → COA (Change of Authorization) for dynamic policy changes Integrations: Any RADIUS-compatible network device; Active Directory (via ntlm_auth); LDAP; custom integrations via API Pricing: Free (open-source); cost is implementation and maintenance labor Best for: Budget-conscious organizations; simple NAC requirements; teams with strong Linux/RADIUS expertise; proof-of-concept deployments VENDOR SELECTION CRITERIA: → Network vendor diversity (multi-vendor support if not single-vendor shop) → Device profiling accuracy → Posture validation capabilities → Guest management features → Integration with existing identity systems → Scalability (number of endpoints, concurrent sessions) → Support and professional services availability → Total cost of ownership (licensing + infrastructure + labor) ``` ## Integration Points - **Cisco ISE**: Policy-based NAC; device profiling; posture validation; guest portal; integrates with Cisco switches/WLC/firewalls; Active Directory, LDAP, Okta; SIEM forwarding; $15K+/node + per-device licensing - **Aruba ClearPass**: Multi-vendor NAC; device insight; health policies; guest management; OpenAPI integrations; Active Directory, Azure AD, Okta; $15K+/enforcer + per-device - **ForeScout CounterAct**: Multi-vendor NAC leader; bot detection; IoT security; compliance reporting; 400+ device integrations; vulnerability scanner integration - **FreeRADIUS**: Open-source RADIUS server; customizable policies; MySQL/PostgreSQL backend; Linux expertise required; free - **Active Directory / Azure AD**: Identity source for user authentication; group membership for policy assignment; automated deprovisioning - **Okta / OneLogin**: SSO integration for web authentication; SCIM provisioning for device/user lifecycle - **Cisco DNA Center / Aruba Central**: Network automation platforms that integrate with NAC for automated policy enforcement and provisioning - **SIEM (Splunk, QRadar, Sentinel)**: NAC event forwarding for security monitoring; correlation with other security events; compliance reporting ## Edge Cases - **Legacy devices without 802.1X support**: Old printers, medical equipment, industrial controllers — use MAB with strict MAC registration and segmentation; physical port security as backup; plan replacement timeline - **High-density environments (stadiums, convention centers)**: Thousands of concurrent connections; NAC must scale; solution: distributed RADIUS servers; connection load balancing; simplified policies for event networks; temporary guest access with bulk provisioning - **Healthcare networks with medical devices**: HIPAA compliance; medical devices may not support standard authentication; solution: dedicated medical device VLAN; MAB with strict MAC control; network segmentation from corporate; no NAC agent installation on medical devices - **Campus environments with dormitory wired access**: Each dorm room has network port; risk of unauthorized access; solution: 802.1X on all access ports; room registration system tied to student housing; automatic provisioning based on enrollment; periodic access audit - **Branch office NAC**: Limited local IT staff; centralized management required; solution: cloud-managed NAC (ClearPass MF, ISE with cloud connectivity); template-based policies pushed from HQ; local RADIUS proxy to central server - **IoT explosion (10,000+ IoT devices)**: Traditional NAC profiling may miss unknown IoT devices; solution: machine learning-based device profiling; IoT-specific segmentation; behavioral monitoring for IoT anomalies; automated onboarding workflow for approved IoT devices - **Roaming users (multi-site, international offices)**: Consistent NAC policies across all locations; solution: centralized RADIUS with local failover; synchronized user/device database; consistent policy templates; site-specific overrides where needed (local regulations)