Last year, a contractor plugged an unmanaged laptop into a conference room Ethernet port at a mid-size financial firm. Within four hours, ransomware had laterally moved across three VLANs and encrypted 40TB of data. The network had firewalls, EDR, and a SIEM—but no Network Access Control. NAC is the security layer that answers the most fundamental question before any other control matters: should this device even be on this network?.
Why NAC Still Matters in 2025
Despite the rise of cloud-first architectures, the physical and logical network perimeter remains a critical attack surface. IoT devices, BYOD policies, contractor access, and legacy OT systems create an environment where implicit trust is a liability. NAC provides three essential capabilities:
- Authentication — Verifying who or what is connecting
- Authorization — Determining what level of access is appropriate
- Posture Assessment — Evaluating whether the device meets security baselines
Without NAC, your network treats a compromised IoT camera and a fully patched domain workstation identically.
Architecture Decision: 802.1X as the Foundation
The most robust NAC deployments are built on IEEE 802.1X port-based authentication using RADIUS. Here's the core flow:
Supplicant (endpoint) → Authenticator (switch/AP) → Authentication Server (RADIUS/ISE/ClearPass)
On a Cisco Catalyst switch, enabling 802.1X on an access port looks like this:
interface GigabitEthernet1/0/12
switchport mode access
switchport access vlan 100
authentication port-control auto
dot1x pae authenticator
authentication order dot1x mab
authentication fallback-profile GUEST_POLICY
spanning-tree portfastThe authentication order dot1x mab line is critical—it attempts 802.1X first, then falls back to MAC Authentication Bypass (MAB) for devices like printers and IP phones that can't perform EAP authentication.
Dynamic VLAN Assignment: The Enforcement Mechanism
Static VLAN assignments are a maintenance nightmare. Instead, configure your RADIUS server to return VLAN attributes dynamically based on identity and policy. In FreeRADIUS, a user authorization entry might look like:
corporate_user Cleartext-Password := "EAP-TLS"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "110"
contractor_device Cleartext-Password := "MAB-Auth"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "200"This means a corporate laptop authenticated via certificate lands on VLAN 110 (full access), while a contractor device lands on VLAN 200 (restricted internet-only). A device that fails all authentication gets quarantined:
authentication event fail action authorize vlan 999VLAN 999 should route only to a captive portal or remediation server.
Posture Assessment: Don't Trust the Device Just Because the User Is Valid
Authentication alone isn't enough. A legitimate user on a machine with a disabled firewall and outdated antivirus signatures is still a risk. Posture assessment agents check endpoint compliance before granting full access.
Key posture checks to enforce:
- OS patch level — Is the machine within your patching SLA?
- Endpoint protection status — Is the EDR agent running and reporting?
- Disk encryption — Is BitLocker/FileVault enabled?
- Local firewall state — Is the host-based firewall active?
Non-compliant devices should receive a restricted authorization policy that permits only access to patch servers, WSUS/SCCM, and the remediation portal.
Phased Rollout Strategy
Deploying NAC enterprise-wide on day one is a recipe for an outage and angry stakeholders. Use this phased approach:
| Phase | Mode | Duration | Goal |
|---|---|---|---|
| 1 | Monitor | 4-6 weeks | Profile all devices, identify unknown assets |
| 2 | Low-impact | 2-4 weeks | Authenticate but assign default VLAN on failure |
| 3 | Closed mode | Ongoing | Full enforcement with quarantine |
Phase 1 is where you discover the 300 devices nobody knew existed.
Final Thought
NAC isn't a product you install—it's an operational discipline. The technology enforces the policy, but the policy must reflect your actual environment: every printer, every badge reader, every forgotten Raspberry Pi under a desk. Start with visibility, graduate to enforcement, and treat your NAC policy as living documentation that evolves with every device audit.
Your network should never again answer the question "who's on here?" with silence.
Have questions about network access control (nac) implementation? I'm always happy to talk shop — reach out or connect with me on LinkedIn.