Network Access Control (NAC) is a security technique that restricts unauthorized devices and users from connecting to a network. For SY0-701, this falls under Security Operations (Objective 4.4) and covers how organizations enforce policies on devices before granting access. This chapter explains NAC's components, deployment modes, and the authentication and posture assessment processes critical for exam scenarios. Understanding NAC helps you answer questions about preventing rogue devices, enforcing health policies, and integrating with 802.1X and RADIUS.
Jump to a section
Imagine a hotel that uses key cards for room access. When a guest checks in, the front desk issues a key card programmed to open only their assigned room and common areas like the gym or pool. This is like a NAC policy server (the front desk) that authenticates a device and assigns it an access profile. If a guest tries to enter a restricted area, like the staff-only basement, the card reader (the NAC enforcement point) checks the card's authorization and denies entry. Similarly, if a guest's card is reported lost or stolen, the front desk can deactivate it instantly, and the card reader will lock out that card. This mirrors NAC's ability to quarantine or block a device that fails a health check or is compromised. The key card itself represents the device's credentials or posture certificate. The hotel's central system that manages all cards is like the NAC policy server, and the door readers are like switches or wireless controllers that enforce access control. The analogy breaks down if the hotel doesn't have a central system—each door would need its own list, which is like deploying NAC without a policy server, leading to inconsistent enforcement. SY0-701 emphasizes that NAC uses authentication (like checking in), authorization (room permissions), and posture assessment (like verifying the guest is who they say they are) before granting network access.
What is Network Access Control (NAC)?
Network Access Control (NAC) is a set of protocols and technologies that enforce security policy on devices seeking to access network resources. Its primary goal is to ensure that only authorized and compliant devices can connect, thereby reducing the risk of malware, unauthorized access, and data breaches. NAC can be implemented at the network edge (wired switches, wireless access points) or via software agents on endpoints.
How NAC Works Mechanically
The NAC process typically follows a three-phase cycle: Authentication, Posture Assessment, and Enforcement.
1. Authentication: When a device connects to a network port or associates with a wireless SSID, it must authenticate. This often uses 802.1X, which involves three entities: - Supplicant: The client device (e.g., laptop) running 802.1X software. - Authenticator: The network device (switch or wireless access point) that acts as a gatekeeper. - Authentication Server (AS): Typically a RADIUS server (e.g., Cisco ISE, FreeRADIUS) that validates credentials. The supplicant sends an EAP (Extensible Authentication Protocol) message to the authenticator, which forwards it to the AS. The AS authenticates the device (e.g., via username/password, certificate, or MAC address) and responds with an Accept or Reject. If accepted, the AS sends attributes that define the VLAN or ACL to apply.
2. Posture Assessment: After authentication, the device's security posture is checked. This can involve: - Agent-based: A persistent or dissolvable agent on the device scans for antivirus status, OS patches, firewall settings, and running processes. - Agentless: The NAC system performs network scans (e.g., Nmap) or checks via SNMP. - Posture tokens: The AS evaluates the posture and assigns a token (e.g., Healthy, Quarantine, Guest) that determines access.
Enforcement: Based on the authentication and posture result, the AS instructs the authenticator to place the device in a specific VLAN or apply an ACL. For example:
- Healthy devices → Corporate VLAN (full access) - Non-compliant devices → Quarantine VLAN (limited to remediation servers) - Guest devices → Guest VLAN (internet only)
Key Components and Variants
802.1X: IEEE standard for port-based network access control. Ports 1812 (RADIUS authentication) and 1813 (RADIUS accounting) are used. EAP methods include EAP-TLS (certificate-based), PEAP (username/password with server certificate), and EAP-FAST.
RADIUS: Remote Authentication Dial-In User Service (RFC 2865/2866) provides AAA (Authentication, Authorization, Accounting). It uses UDP and can proxy requests to other servers.
TACACS+: Cisco proprietary alternative to RADIUS, uses TCP port 49, and separates authentication, authorization, and accounting.
NAC Agents: Persistent agents (e.g., Cisco AnyConnect) or dissolvable agents (run on demand) perform posture checks.
MAC Authentication Bypass (MAB): A fallback if the device does not support 802.1X; the switch uses the device's MAC address as credentials.
802.1X Supplicant: Built into Windows (Wired AutoConfig service), macOS, Linux (wpa_supplicant), and mobile devices.
Deployment Modes
Inline NAC: The NAC appliance sits between the client and the network, inspecting all traffic. This provides real-time enforcement but can become a bottleneck.
Out-of-Band NAC: The NAC appliance monitors traffic via port mirroring (SPAN) and instructs switches to change VLANs or ACLs. This reduces latency but may have slower response.
Agent-based vs. Agentless: Agent-based offers deeper posture checks but requires management; agentless is simpler but less thorough.
How Attackers Exploit or Defenders Deploy
Attackers: Can bypass NAC by spoofing a MAC address of an authorized device (MAC spoofing), using a rogue switch to strip 802.1X headers, or exploiting weak EAP methods (e.g., EAP-MD5). They may also target the RADIUS server with credential stuffing.
Defenders: Use 802.1X with EAP-TLS (certificates) to prevent credential theft. Implement MAB as a fallback but combine with device profiling. Use dynamic VLAN assignment to isolate devices. Monitor RADIUS logs for failed authentication attempts (Event ID 6273 in Windows NPS). Regularly update posture policies.
Real Command/Tool Examples
- Cisco switch 802.1X configuration:
interface GigabitEthernet0/1
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 3- FreeRADIUS configuration snippet:
authorize {
files
eap {
ok = return
}
}Windows NPS event log: Use Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 6273} to find failed RADIUS authentications.
Supplicant testing: Use netsh wlan show profiles on Windows to view saved wireless profiles; wpa_cli status on Linux to check 802.1X state.
NAC Standards and Protocols
IEEE 802.1X-2020: Current standard.
RFC 2865/2866: RADIUS.
RFC 3579: RADIUS support for EAP.
Cisco TrustSec: Uses Security Group Tags (SGTs) for policy enforcement.
Microsoft NAP (Network Access Protection): Deprecated but still tested conceptually.
Posture Assessment Details
Posture checks can include:
Antivirus: Is it installed? Is it running? Is the definition up-to-date?
OS patches: Are critical patches applied? (e.g., MS17-010 for EternalBlue)
Firewall: Is the host firewall enabled?
Disk encryption: Is BitLocker or FileVault active?
Running services: Are unnecessary services (e.g., Telnet) disabled?
Example of a posture policy (Cisco ISE):
Rule: Windows_Compliant
Condition: (Windows) AND (Antivirus_Installed == true) AND (AV_Definitions_Updated == true) AND (OS_Patches >= Critical)
Result: PermitAccessNAC in Wireless Networks
Wireless NAC uses 802.1X with EAP methods. The wireless access point acts as the authenticator. Common EAP types: - EAP-TLS: Requires client and server certificates; strongest security. - PEAP-MSCHAPv2: Uses server certificate and username/password; vulnerable to credential theft if server certificate is not validated. - EAP-FAST: Uses a PAC (Protected Access Credential) for tunneling.
NAC and IoT Devices
IoT devices often lack 802.1X supplicants. Solutions include: - MAB: Uses MAC address; easily spoofed. - Device profiling: NAC identifies device type via OS fingerprinting, DHCP fingerprinting, or HTTP user-agent. - Certificates: Pre-provision certificates on IoT devices.
Common NAC Vulnerabilities (CVEs)
CVE-2020-7471: RADIUS shared secret brute-force (weak secrets).
CVE-2015-5374: FreeRADIUS EAP-pwd memory leak.
CVE-2012-3546: Cisco NAC Agent privilege escalation.
Summary
NAC is a critical defense against unauthorized access and non-compliant devices. SY0-701 expects you to understand the 802.1X authentication process, posture assessment, and enforcement mechanisms. Know the roles of supplicant, authenticator, and authentication server. Be able to identify scenarios where NAC would prevent a rogue device from connecting.
Device Connects to Network
A device (supplicant) plugs into a switch port or associates with a wireless SSID. The switch or access point (authenticator) detects the link up and initiates the 802.1X authentication process. The port is placed in an unauthorized state, allowing only EAP traffic. For wireless, the client must start EAP negotiation. Logs: Switch logs show 'dot1x_auth: starting authentication for MAC xx:xx:xx:xx:xx:xx'. The authenticator sends an EAP-Request/Identity to the supplicant. If the device does not support 802.1X, the authenticator may fall back to MAB after a timeout.
Supplicant Sends Credentials
The supplicant responds with an EAP-Response/Identity containing a username (e.g., 'host/computer.domain.com' or user@domain). The authenticator encapsulates this in a RADIUS Access-Request packet and forwards it to the authentication server (AS). The AS checks the identity against its user/device database. If the AS is a RADIUS proxy, it may forward to another server. Logs: RADIUS server logs show 'Authentication request for user: host/computer.domain.com'. The EAP method is negotiated (e.g., PEAP). The supplicant and AS establish a TLS tunnel (for PEAP/EAP-TLS) to protect subsequent exchanges.
Authentication Server Validates
The AS validates the credentials. For EAP-TLS, it verifies the client certificate against a trusted CA. For PEAP-MSCHAPv2, it checks username/password against Active Directory. If valid, the AS generates a RADIUS Access-Accept packet containing attributes such as VLAN ID, ACL name, or session timeout. If invalid, it sends Access-Reject. The AS may also check posture at this stage if integrated with a posture server. Logs: Windows NPS Event ID 6272 (success) or 6273 (failure). The AS sends the result to the authenticator.
Authenticator Enforces Policy
The authenticator (switch/AP) receives the RADIUS response. If Access-Accept, it changes the port state to authorized and applies the attributes (e.g., assigns VLAN 10). If Access-Reject, it keeps the port unauthorized or places it in a guest VLAN. For MAB, the switch uses the MAC address as the username/password and sends a RADIUS Access-Request. The AS can respond with an Accept if the MAC is whitelisted. Logs: Switch logs show 'Authentication successful for client xx:xx:xx:xx:xx:xx on port Gi0/1, assigned VLAN 10'. The device now has network access based on the assigned VLAN/ACL.
Posture Assessment and Remediation
After initial access, a posture agent (if deployed) performs health checks. If the device is non-compliant (e.g., missing antivirus), the agent reports to the AS, which sends a CoA (Change of Authorization) to the authenticator to move the device to a quarantine VLAN. The device is then redirected to a remediation server (e.g., WSUS, antivirus update server). Once compliant, the device re-authenticates or the agent notifies the AS, which sends another CoA to restore full access. Logs: NAC server logs show 'Posture assessment failed: antivirus definitions outdated; moving to quarantine VLAN'. Common mistake: Not implementing CoA, requiring manual re-authentication.
Scenario 1: Rogue Device Detection at a Hospital
A hospital's network team notices unusual traffic from the medical imaging VLAN. They check the NAC logs and see an unknown MAC address that successfully authenticated via MAB. The switch logs show the device was assigned to the imaging VLAN. The analyst uses the NAC's device profiling feature to fingerprint the device: it appears as a generic Linux machine, not a known medical device. They quarantine the port and investigate. The root cause: a physician plugged in a personal laptop to the network jack. The NAC had MAB enabled as a fallback, and the MAC address was not in the blacklist. The correct response: disable MAB on sensitive VLANs or require 802.1X for all devices. The common mistake: assuming MAB is secure because MAC addresses are unique. In reality, MAC spoofing is trivial.
Scenario 2: Posture Failure in a Corporate Office
A user calls the helpdesk saying they cannot access the corporate file server. The NAC agent on their laptop shows a red status: antivirus is not running. The NAC policy server (e.g., Cisco ISE) detects this and automatically moves the laptop to a quarantine VLAN. The user can only access the remediation server to install antivirus. The helpdesk walks the user through enabling antivirus. After the agent reports compliance, the NAC server sends a CoA to the switch to move the laptop back to the corporate VLAN. The analyst monitors the ISE live logs and sees the transition. Common mistake: The helpdesk might try to manually assign the user to the corporate VLAN via switch CLI, bypassing NAC. This is a security violation and should be prevented by strict change control.
Scenario 3: 802.1X Certificate Expiry
A company uses EAP-TLS for wireless authentication. Users start reporting they cannot connect to the corporate Wi-Fi. The NAC logs show repeated authentication failures with reason 'certificate expired'. The IT team checks the CA and finds that client certificates were issued with a 1-year validity and many have expired. They renew certificates via Group Policy auto-enrollment. The analyst also notices that the RADIUS server logs show increased failed attempts from devices with expired certs. The correct response: implement certificate auto-enrollment and monitor certificate expiry. Common mistake: Blaming the wireless AP or supplicant configuration without checking certificate validity.
Exactly What SY0-701 Tests on NAC
Objective 4.4 (Security Operations) includes: 'Given a scenario, implement and configure network access controls.' Sub-objectives:
Understand the purpose of NAC (prevent unauthorized devices)
Identify components: supplicant, authenticator, authentication server
Describe 802.1X and RADIUS roles
Explain posture assessment and quarantine
Differentiate between agent-based and agentless NAC
Recognize MAC authentication bypass (MAB) as a fallback
Common Wrong Answers and Why
'NAC uses MAC filtering to block devices.' This is wrong because MAC filtering is a static list, not dynamic NAC. NAC uses authentication and posture, not just MAC addresses. Candidates choose this because they confuse MAC filtering with MAB.
'RADIUS uses TCP port 1812.' RADIUS uses UDP, not TCP. TACACS+ uses TCP. Candidates confuse the two.
'Posture assessment happens before authentication.' Wrong. Authentication comes first; posture assessment occurs after the device is authenticated but before full access is granted. Candidates think posture is part of authentication.
'NAC can block all malware.' NAC only blocks devices that fail policy; it does not inspect traffic for malware. Candidates overestimate NAC's capabilities.
Specific Terms, Values, and Acronyms
802.1X: Port-based NAC standard
RADIUS: UDP 1812/1813
TACACS+: TCP 49
EAP-TLS: Certificate-based; strongest
PEAP: Tunneled with server certificate
MAB: MAC Authentication Bypass
CoA: Change of Authorization (RFC 5176)
Supplicant: Client software
Authenticator: Switch/AP
Authentication Server: RADIUS server
Common Trick Questions
'Which protocol is used for NAC?' The answer is 802.1X, not RADIUS. RADIUS is the protocol between authenticator and AS, but the overall NAC framework is 802.1X.
'What port does RADIUS use?' Trick: The question may say 'authentication port' (1812) vs 'accounting port' (1813). Both are UDP.
'What is the difference between NAC and 802.1X?' NAC is the concept; 802.1X is the implementation standard.
Decision Rule for Eliminating Wrong Answers
When you see a scenario question about a device that should not have network access, ask: 'Does the scenario describe a device that failed authentication or a health check?' If the device is unknown, think 802.1X. If the device is known but unhealthy, think posture assessment. If the answer mentions MAC filtering or ACLs without authentication, it's likely wrong.
NAC uses 802.1X with RADIUS (UDP 1812/1813) to authenticate and authorize devices.
The three roles in 802.1X are supplicant (client), authenticator (switch/AP), and authentication server (RADIUS).
Posture assessment checks device health (antivirus, patches) and can trigger quarantine via CoA.
MAB is a fallback using MAC address; it is weak against spoofing.
EAP-TLS is the strongest EAP method; PEAP and EAP-FAST are alternatives.
NAC can be deployed inline (bottleneck risk) or out-of-band (slower response).
RADIUS uses UDP; TACACS+ uses TCP and separates AAA functions.
Common NAC vulnerabilities include MAC spoofing, weak EAP methods, and RADIUS shared secret brute-force.
NAC does not replace firewalls; it controls initial access, not traffic inspection.
Know the difference between authentication (who you are), authorization (what you can do), and accounting (logging).
These come up on the exam all the time. Here's how to tell them apart.
802.1X
Requires supplicant software on the client.
Uses EAP for authentication (e.g., certificates, passwords).
Provides strong authentication (e.g., EAP-TLS).
Can dynamically assign VLANs based on user/device.
More secure but requires client configuration.
MAC Authentication Bypass (MAB)
No client software needed; uses MAC address as credential.
No EAP; switch sends MAC as username/password.
Weak authentication; MAC can be spoofed.
VLAN assignment based on MAC address only.
Less secure but easy to deploy for legacy devices.
RADIUS
Uses UDP (ports 1812/1813).
Combines authentication and authorization in one packet.
Standard protocol (RFC 2865/2866).
Widely supported by many vendors.
Accounting uses separate port 1813.
TACACS+
Uses TCP (port 49).
Separates authentication, authorization, and accounting (AAA).
Cisco proprietary.
Primarily used in Cisco environments.
Encrypts entire packet body; RADIUS only encrypts password.
Mistake
NAC is the same as 802.1X.
Correct
NAC is a broader concept; 802.1X is one protocol used to implement NAC. NAC includes posture assessment, guest access, and device profiling.
Mistake
RADIUS uses TCP for reliable delivery.
Correct
RADIUS uses UDP (ports 1812/1813). It relies on application-layer retransmission. TACACS+ uses TCP.
Mistake
MAB is a secure authentication method.
Correct
MAB uses MAC addresses, which can be easily spoofed. It is considered a weak fallback, not a primary security measure.
Mistake
Posture assessment is part of the initial authentication.
Correct
Posture assessment occurs after authentication but before full access is granted. It is a separate step that can trigger a CoA.
Mistake
NAC eliminates the need for firewalls.
Correct
NAC controls access at the network edge; firewalls inspect traffic between segments. They are complementary, not replacements.
NAC (Network Access Control) is a broad security concept that includes authentication, posture assessment, and enforcement. 802.1X is a specific IEEE standard for port-based network access control that provides the authentication mechanism. NAC can use 802.1X, but also includes other technologies like MAB, device profiling, and guest portals. For the exam, remember that 802.1X is a protocol, while NAC is the overall solution.
Yes, NAC works with both wired and wireless networks. In wireless, the access point acts as the authenticator, and the client (supplicant) uses 802.1X with EAP methods. The authentication server (RADIUS) validates credentials and can assign VLANs or ACLs. Posture assessment can also be performed via an agent on the wireless client. Wireless NAC is common in enterprise environments to secure Wi-Fi access.
A supplicant is the software on the client device that initiates authentication. It responds to EAP requests from the authenticator. Examples include the Windows Wired AutoConfig service, wpa_supplicant on Linux, and third-party clients like Cisco AnyConnect. The supplicant handles credential input (e.g., username/password or certificate) and EAP method negotiation.
Devices like printers, cameras, or IoT devices often lack 802.1X supplicants. NAC can use MAC Authentication Bypass (MAB) as a fallback: the switch uses the device's MAC address as credentials. Alternatively, device profiling can identify the device type and apply policy. Guest VLANs can also be used for unauthenticated devices. MAB is less secure because MAC addresses can be spoofed.
CoA stands for Change of Authorization (RFC 5176). It is a RADIUS extension that allows the authentication server to dynamically change the authorization attributes of an already authenticated session. For example, if a device fails a posture check, the server can send a CoA to the switch to move the device to a quarantine VLAN without requiring re-authentication.
No. NAC controls which devices can connect to the network and what VLAN or ACL they get. It does not inspect traffic for malicious content. A firewall controls traffic between network segments based on rules. They are complementary: NAC ensures only compliant devices connect, and firewalls monitor traffic. Both are needed for defense in depth.
RADIUS uses UDP port 1812 for authentication and authorization, and UDP port 1813 for accounting. Some legacy implementations use ports 1645/1646. For the exam, remember UDP 1812/1813. Do not confuse with TACACS+ (TCP 49) or LDAP (TCP 389).
You've just covered Network Access Control (NAC) — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?