Network Access Control (NAC) is a critical security technology that enforces policies for devices attempting to connect to a network, ensuring only authorized and compliant endpoints gain access. This chapter covers NAC architectures, components, deployment modes, and integration with 802.1X, RADIUS, and EAP, which are core topics for CompTIA Network+ N10-009 Objective 4.2 (Network Security). Expect 2-3 exam questions on NAC, focusing on its purpose, authentication flow, and policy enforcement mechanisms.
Jump to a section
Network Access Control (NAC) operates like an airport security checkpoint for your network. Every passenger (device) must present valid identification (credentials) and pass through a scanner (posture assessment) before reaching the gate (network access). The security officer (NAC policy server) checks the passenger's ticket (device certificate or user credentials) against the manifest (policy database). If the passenger matches, they proceed to the secure area (trusted VLAN). If not, they are directed to a separate screening area (quarantine VLAN) for additional checks. The checkpoint also scans for prohibited items (antivirus status, patch levels, firewall enabled) before granting access to the boarding area. Once cleared, the passenger can board any flight (access network resources). The system continuously monitors passengers as they move through the terminal (post-admission enforcement) and can revoke access if a passenger is found carrying a weapon (malware detected). Just as airport security uses multiple layers (ID check, bag scan, body scan, random checks), NAC uses multiple enforcement points (802.1X, captive portal, DHCP snooping, ARP inspection) to ensure only compliant devices access the network.
What is Network Access Control (NAC)?
Network Access Control (NAC) is a security framework that restricts unauthorized or non-compliant devices from accessing a network. It evaluates each device's identity and security posture before granting access, and can dynamically assign the device to a specific VLAN or apply access control lists (ACLs) based on policy. NAC is defined by standards such as IEEE 802.1X for port-based authentication and RFC 3580 for RADIUS accounting.
Why NAC Exists
Traditional network security relies on perimeter defenses, but once inside, devices often have unrestricted lateral movement. NAC addresses this by authenticating and authorizing every device at the point of connection (wired switch port, wireless SSID, VPN tunnel). It solves problems like rogue devices, unpatched systems, and guest access control. For example, a hospital uses NAC to ensure that only IT-managed, antivirus-updated devices can access the patient records VLAN.
How NAC Works: The Authentication Flow
NAC typically uses the 802.1X standard, which involves three main components: the supplicant (client device), the authenticator (switch or access point), and the authentication server (RADIUS server). The flow is: 1. Initiation: The client connects to a switch port. The switch detects link up and sends an EAP-Request/Identity frame. 2. Response: The client (supplicant) responds with EAP-Response/Identity, which the switch encapsulates in a RADIUS Access-Request packet and forwards to the RADIUS server. 3. Authentication: The RADIUS server challenges the client using an EAP method (e.g., PEAP, EAP-TLS, EAP-FAST). The client and server exchange EAP messages through the switch (which acts as a pass-through). 4. Authorization: Upon successful authentication, the RADIUS server sends a RADIUS Access-Accept packet that includes attributes such as VLAN assignment (e.g., Tunnel-Private-Group-ID = '10') or downloadable ACL (dACL). 5. Enforcement: The switch applies the specified VLAN or ACL, and the port transitions from unauthorized to authorized state.
Key Components
Supplicant: Software on the client that responds to 802.1X requests. Common supplicants include Windows Wired AutoConfig, macOS 802.1X client, and open-source wpa_supplicant.
Authenticator: Network device (switch, wireless controller, VPN concentrator) that enforces access control. It bridges EAP messages between supplicant and RADIUS server.
Authentication Server: RADIUS server (e.g., Cisco ISE, FreeRADIUS, Microsoft NPS) that validates credentials and returns authorization attributes.
Policy Server: Often integrated with the RADIUS server, it defines conditions (user group, device type, OS version, antivirus status) and actions (allow, deny, quarantine, VLAN assignment).
Posture Assessment: Checks client health (antivirus version, patch level, firewall enabled) before granting full access. This can be done via client agents or via passive scanning.
Deployment Modes
Inline NAC: The NAC appliance sits inline between the client and the network, inspecting all traffic. It can block or redirect traffic based on policy. Example: Cisco TrustSec with Security Group Tags (SGT).
Out-of-Band NAC: The NAC appliance is not in the data path; it communicates with switches via SNMP, RADIUS Change of Authorization (CoA), or 802.1X to dynamically reconfigure ports. Example: Cisco ISE with switch integration.
Agent-based: A software agent on the client performs posture checks and reports to the NAC server. Example: Symantec Network Access Control.
Agentless: The NAC server uses network scans (e.g., Nmap) or Active Directory queries to assess devices without client software. Example: Forescout CounterACT.
Key Defaults and Timers
- 802.1X Port Timers: The switch maintains several timers: - quiet-period: Default 60 seconds; time the switch waits after a failed authentication before reattempting. - tx-period: Default 30 seconds; interval between EAP-Request/Identity retransmissions. - supplicant-timeout: Default 30 seconds; time the switch waits for a response from the supplicant. - server-timeout: Default 30 seconds; time the switch waits for a response from the RADIUS server. - RADIUS Default Ports: Authentication port 1812 (UDP), Accounting port 1813 (UDP). Older devices may use ports 1645 and 1646. - RADIUS Timeout: Default 5 seconds; time the NAS waits for a response before retransmitting. - MAB (MAC Authentication Bypass): For devices without 802.1X capability (printers, IoT), the switch uses the client's MAC address as the credential. The RADIUS server checks the MAC against a list of authorized MACs.
Configuration and Verification Commands
On a Cisco switch, 802.1X configuration includes:
interface GigabitEthernet0/1
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 10
radius-server host 192.168.1.10 key mykey
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radiusVerification commands:
- show authentication sessions – displays active 802.1X sessions.
- show dot1x all – shows 802.1X status per interface.
- show radius server statistics – shows RADIUS transaction stats.
- debug dot1x events – real-time debug of 802.1X process.
Interaction with Related Technologies
DHCP Snooping: NAC can assign VLANs based on client identity. For example, a guest device receives a VLAN with DHCP snooping enabled to prevent rogue DHCP servers.
Dynamic ARP Inspection (DAI): Used in guest VLANs to prevent ARP spoofing.
Port Security: Often used as a fallback if NAC fails; limits the number of MAC addresses per port.
ACLs: NAC can push downloadable ACLs (dACLs) to the switch via RADIUS to restrict traffic per device.
VPN: NAC can assess posture before allowing VPN access, using RADIUS CoA to change ACLs post-connection.
Post-Admission Control
After initial access, NAC can continuously monitor device behavior. If a device becomes infected (e.g., antivirus stops updating), the NAC server can issue a RADIUS CoA to quarantine the device by changing its VLAN or applying a restrictive ACL. This is known as remediation.
Client Connects to Port
When a client device plugs into an 802.1X-enabled switch port or associates with an 802.1X-enabled wireless SSID, the switch detects link up (or the AP detects association). The switch port is initially placed in an unauthorized state, blocking all traffic except EAPOL (EAP over LAN) frames. The switch sends an EAP-Request/Identity frame to the client to begin authentication. If the client does not support 802.1X, the switch will retransmit the request according to the tx-period timer (default 30 seconds) before falling back to an alternative method like MAB.
Supplicant Sends Identity
The client's supplicant software (e.g., Windows Wired AutoConfig) receives the EAP-Request/Identity and responds with an EAP-Response/Identity frame containing the client's identity (typically a username or machine name). The switch receives this frame and encapsulates it into a RADIUS Access-Request packet, forwarding it to the configured RADIUS server. The switch acts solely as a pass-through; it does not interpret the EAP messages beyond the identity.
RADIUS Server Challenges Client
The RADIUS server receives the Access-Request and responds with an Access-Challenge packet containing an EAP-Request for a specific EAP method (e.g., PEAP requests a TLS tunnel). The switch forwards this challenge to the client as an EAP-Request frame. The client and server then exchange multiple EAP messages to establish authentication. For example, in PEAP, they first establish a TLS tunnel, then the server sends an inner EAP request (e.g., MS-CHAPv2) for user credentials.
Authentication Decision
After successful EAP exchange, the RADIUS server sends an Access-Accept packet to the switch. This packet includes authorization attributes such as VLAN ID (via Tunnel-Private-Group-ID), downloadable ACL name, or session timeout. If authentication fails, the server sends an Access-Reject, and the switch keeps the port in unauthorized state. The switch may then attempt MAB or place the port in a guest VLAN.
Switch Enforces Policy
Upon receiving Access-Accept, the switch transitions the port to authorized state. It applies the VLAN assignment or ACL as specified. The client can now send normal traffic. The switch also starts an accounting session, sending RADIUS Accounting-Start packets to the server. The switch continues to monitor the session; if the client disconnects or if the RADIUS server sends a CoA (Change of Authorization) to change policy, the switch updates the port state accordingly.
Enterprise Scenario 1: Healthcare HIPAA Compliance
A large hospital network deploys NAC to ensure that only managed, antivirus-updated devices can access the Electronic Health Records (EHR) system. They use Cisco ISE as the NAC policy server with 802.1X on all wired switch ports. Each nurse's workstation runs a Cisco AnyConnect NAC agent that reports antivirus status and OS patch level. If a workstation's antivirus definitions are out of date, ISE places the port in a quarantine VLAN with restricted access to a remediation server. After remediation, the client reauthenticates and gains full access. The system handles over 10,000 endpoints. Common issues: agent compatibility with legacy Windows XP machines required MAB fallback; misconfigured RADIUS shared secrets caused authentication failures during a network migration.
Enterprise Scenario 2: University Guest and BYOD Access
A university uses NAC to separate student, faculty, and guest traffic. They deploy an out-of-band NAC solution (Forescout) that integrates with existing switches via SNMP and RADIUS. Students authenticate via 802.1X with their university credentials, while guests use a captive portal that requires acceptance of an acceptable use policy. The NAC dynamically assigns VLANs: faculty get access to research servers, students get internet-only access, and guests are restricted to a guest VLAN with bandwidth limits. The system scales to 20,000 concurrent users during peak hours. Performance consideration: the NAC server must handle high RADIUS transaction rates; they use load-balanced RADIUS servers. Misconfiguration: a missing SNMP community string caused the NAC to lose visibility of switch ports, leading to unauthorized devices gaining access for several hours.
Enterprise Scenario 3: Corporate Zero Trust
A financial services firm implements a zero-trust network architecture using NAC as a key component. They use 802.1X with EAP-TLS (certificate-based authentication) for all corporate laptops. The NAC server (Aruba ClearPass) issues certificates via SCEP. When a laptop connects, it presents its certificate; ClearPass validates it against Active Directory and also checks posture (firewall enabled, disk encryption active). If compliant, the laptop is placed in the corporate VLAN with access to internal apps. If not, it goes to a remediation VLAN. The firm also uses RADIUS CoA to dynamically quarantine a device if its posture changes (e.g., antivirus disabled). They handle 5,000 devices. Common pitfall: certificate expiration caused mass authentication failures; they implemented automated certificate renewal via Group Policy.
N10-009 Objective 4.2: Network Access Control
This objective expects you to understand the purpose of NAC, the 802.1X authentication process, and the roles of supplicant, authenticator, and authentication server. You should be able to differentiate between inline and out-of-band NAC, and know common deployment scenarios.
Common Wrong Answers
'NAC uses TACACS+ for authentication' – TACACS+ is used for device administration (AAA for CLI access), not for network access. NAC uses RADIUS (or Diameter in some cases). Candidates confuse AAA protocols.
'The authenticator is the RADIUS server' – The authenticator is the switch or AP, not the RADIUS server. The RADIUS server is the authentication server.
'802.1X uses EAP-TLS as the only EAP method' – While EAP-TLS is common, the exam tests that 802.1X supports multiple EAP methods (PEAP, EAP-FAST, EAP-MD5). EAP-TLS requires certificates on both sides.
'NAC only works with wired networks' – NAC works with wired (802.1X), wireless (802.1X), and VPN connections.
Specific Numbers and Terms
Port numbers: RADIUS authentication UDP 1812, accounting UDP 1813 (older: 1645/1646).
Default timer: tx-period = 30 seconds, quiet-period = 60 seconds.
Terms: EAPOL (EAP over LAN), MAB (MAC Authentication Bypass), CoA (Change of Authorization), dACL (downloadable ACL).
EAP methods: EAP-TLS (certificate-based), PEAP (tunneled with MS-CHAPv2), EAP-FAST (lightweight), EAP-MD5 (password-based, deprecated due to lack of mutual authentication).
Edge Cases
What if a device does not support 802.1X? The switch can fall back to MAB (MAC authentication) or place the port in a guest VLAN.
What if the RADIUS server is unreachable? The switch can use a local fallback policy (e.g., critical VLAN) to allow limited access.
What is the difference between inline and out-of-band NAC? Inline NAC processes all traffic; out-of-band NAC only controls access via switch configuration changes.
Eliminating Wrong Answers
Focus on the role of each component. If a question asks 'What device acts as the authenticator?', eliminate answers that say 'RADIUS server' or 'client'. For EAP methods, remember that EAP-MD5 does not provide mutual authentication (only server validates client, not vice versa), so it is vulnerable to man-in-the-middle attacks. On the exam, if a question asks about a secure EAP method, avoid EAP-MD5.
NAC enforces security policies at the point of network connection, evaluating device identity and posture before granting access.
The 802.1X standard defines three roles: supplicant (client), authenticator (switch/AP), and authentication server (RADIUS).
RADIUS uses UDP ports 1812 (authentication) and 1813 (accounting); older systems may use 1645/1646.
Common EAP methods: EAP-TLS (certificates), PEAP (tunnel + inner authentication), EAP-FAST (lightweight), EAP-MD5 (deprecated, one-way).
Default 802.1X timers: tx-period 30s, quiet-period 60s, server-timeout 30s.
NAC can be deployed inline (traffic passes through) or out-of-band (switch configured via SNMP/RADIUS).
MAB is a fallback for non-802.1X devices; it uses MAC address as credential and is less secure.
Post-admission control uses RADIUS Change of Authorization (CoA) to dynamically modify access based on changing conditions.
Guest VLAN and quarantine VLAN are common remediation actions for non-compliant devices.
NAC integrates with DHCP snooping, DAI, and port security for additional enforcement.
These come up on the exam all the time. Here's how to tell them apart.
802.1X (Port-based)
Uses user or machine credentials (certificates, passwords).
Provides mutual authentication (server validates client, client validates server).
Supports dynamic VLAN assignment via RADIUS attributes.
Requires supplicant software on the client.
More secure, resistant to spoofing.
MAC Authentication Bypass (MAB)
Uses only the MAC address as credential.
No mutual authentication; only server checks MAC against a list.
Can also assign VLANs but is less flexible.
No client software needed; works with any device.
Less secure; MAC addresses can be spoofed.
Mistake
NAC and 802.1X are the same thing.
Correct
802.1X is a standard for port-based authentication, but NAC is a broader framework that includes 802.1X, posture assessment, guest management, and policy enforcement. NAC can also use non-802.1X methods like captive portal or DHCP-based enforcement.
Mistake
The authenticator validates the client's credentials.
Correct
The authenticator (switch/AP) does not validate credentials; it forwards EAP messages between the supplicant and the authentication server (RADIUS). The RADIUS server performs validation.
Mistake
NAC only works with wired Ethernet ports.
Correct
NAC applies to wired (802.1X), wireless (802.1X), and VPN connections. The same RADIUS server can authenticate all types.
Mistake
EAP-MD5 is a secure authentication method.
Correct
EAP-MD5 only authenticates the client to the server (one-way) and does not provide mutual authentication. It is vulnerable to man-in-the-middle attacks and is deprecated in modern NAC deployments.
Mistake
MAC Authentication Bypass (MAB) is just as secure as 802.1X.
Correct
MAB uses the MAC address as the sole credential, which can be spoofed. It is a fallback for devices that lack 802.1X support (printers, IoT) and is less secure than certificate- or credential-based 802.1X.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
802.1X is a specific IEEE standard for port-based network access control, which authenticates devices before granting access. NAC (Network Access Control) is a broader security framework that includes 802.1X but also incorporates posture assessment (checking antivirus, patch level), guest management, and policy enforcement across wired, wireless, and VPN networks. NAC often uses 802.1X as its authentication mechanism but can also use captive portals or DHCP-based methods.
RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting. Older RADIUS implementations may use ports 1645 (authentication) and 1646 (accounting). Some devices support TCP for reliability, but UDP is the default. On the exam, remember 1812/1813.
A supplicant is the software on the client device that initiates authentication and responds to EAP requests from the authenticator. Examples include Windows Wired AutoConfig Service, macOS 802.1X client, and wpa_supplicant (Linux). The supplicant provides credentials (username/password or certificate) and participates in the EAP exchange with the authentication server.
A downloadable ACL (dACL) is an access control list that is sent from the RADIUS server to the authenticator (switch) during 802.1X authentication. It is applied to the port to restrict traffic for that specific session. dACLs are more flexible than static ACLs because they can be assigned dynamically based on user or device identity.
RADIUS Change of Authorization (CoA) is a mechanism defined in RFC 5176 that allows the RADIUS server to dynamically change the authorization attributes of an active session. For example, if a device's posture becomes non-compliant, the server can send a CoA to the switch to change the VLAN or apply a restrictive ACL, effectively quarantining the device without requiring reauthentication.
A guest VLAN is a separate VLAN used to provide limited network access to unauthenticated or non-corporate devices. When a device fails 802.1X authentication or does not support it, the switch can place the port in a guest VLAN. This VLAN typically has internet-only access and is isolated from internal resources. It is configured on the switch and triggered by the RADIUS server or by a local fallback policy.
NAC uses MAC Authentication Bypass (MAB) as a fallback for devices like printers, IP phones, and IoT sensors that lack 802.1X supplicant software. The switch captures the device's MAC address and sends it as the credential to the RADIUS server. If the MAC is in an authorized list, the server grants access. MAB is less secure because MAC addresses can be spoofed.
You've just covered Network Access Control (NAC) — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?