MurmurCast
TechnicalDiscussion

N4N054: Network Access Control (NAC) Basics

The Everything Feed - All Packet Pushers Pods1h 6m

Ethan Banks and Holly Malitzky-Podbilak provide a beginner-friendly introduction to Network Access Control (NAC), covering its core concepts, protocols, and terminology including 802.1X, RADIUS, TACACS, EAP, and AAA. They discuss how NAC governs device admission and access policies on both wired and wireless networks, and survey major NAC vendor solutions in the market.

Summary

This episode of 'N4S: Networking for Networking Beginners' is the first in a three-part series on Network Access Control (NAC). Hosts Ethan Banks and Holly Malitzky-Podbilak open with personal conversation, including Holly's recent marriage and name change to Malitzky-Podbilak, her dual citizenship in the U.S., South Africa, and Lithuania, and Ethan's discovery that he may qualify for Canadian citizenship through grandparent lineage.

The hosts begin the technical discussion by noting that Cisco historically called NAC 'Network Admission Control' around 2004, a term that has since faded out in favor of 'Network Access Control.' They explain that NAC is not simply about binary allow/deny decisions — it also governs what a device can do once admitted to the network, such as being placed in a guest VLAN, receiving full corporate access, or being denied entirely.

The episode distinguishes NAC from simple Wi-Fi password protection or basic MAC address access lists, explaining that NAC performs deeper evaluation of devices and users. For devices that cannot speak 802.1X (such as IoT thermostats), NAC systems can fall back to MAC Authentication Bypass, allowing known devices onto the network via their Ethernet MAC address. Captive portals are also discussed as a mechanism for admitting guest users who lack 802.1X capability.

A significant portion of the episode is dedicated to unpacking the AAA framework — Authentication, Authorization, and Accounting — and how it underpins NAC infrastructure. Authentication identifies who is connecting; authorization determines what they can access; and accounting logs and tracks that activity. The hosts note that AAA applies not just to NAC but also to governing network device administration.

The two main protocols supporting AAA are RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access Control System Plus). RADIUS is described as the dominant protocol in NAC contexts, while TACACS+ is noted for encrypting its entire payload and is more commonly used for governing network device administration. Ethan references RFC 8907 (informational) and RFC 9887 (a newer standard for TACACS over TLS 1.3) as evidence of broader standardization efforts.

The Extensible Authentication Protocol (EAP) is introduced as the mechanism used during 802.1X transactions to authenticate clients. The hosts explain the three-party model in 802.1X: the client (supplicant), the network access device (switch or access point acting as authenticator), and the back-end RADIUS server (such as HPE Aruba ClearPass) where policies are stored. RADIUS attribute pairs are discussed as the mechanism by which policies — including VLAN assignments and access lists — are returned from the server to the switch.

The episode also addresses trending terminology: micro-segmentation (applying firewall-like policy at every endpoint rather than just at central chokepoints), Zero Trust Network Access (ZTNA, described as VPN-with-posture-assessment built in, rooted in NIST SP 800-207), and 'Universal ZTNA' as a vendor marketing evolution of NAC concepts. Posture assessment and device profiling are explained as the process of evaluating whether a device meets security requirements (e.g., running a patched OS, having antivirus installed) before or during network admission.

The hosts candidly discuss vendor marketing dynamics — how legacy technologies like NAC get rebranded, bundled into larger security platforms, and sometimes require new hardware purchases to unlock features. Holly shares frustration from her HPE/Juniper sales role navigating these overlaps between technical standards and marketing terminology.

The episode closes with a survey of major NAC/AAA server solutions: HPE Aruba ClearPass, Cisco ISE (Identity Services Engine), legacy Cisco ACS, ForeScout 4D, Fortinet FortiNAC, Extreme Networks Extreme Control, Portnox Cloud, Olicity (micro-segmentation startup), Microsoft NPS (noted as rarely used in practice), and Packet Fence by Akamai (free, open-source). Palo Alto Networks is noted as a major security vendor without a dedicated NAC product, though it integrates with third-party NAC solutions. The hosts tease parts two and three of the series, which will walk through actual wired and wireless 802.1X transaction flows, with a hoped-for guest appearance from JJ Manella, author of 'Wireless Security Architecture.'

Key Insights

  • Cisco used the term 'Network Admission Control' instead of 'Network Access Control' around 2004, but this terminology has since been phased out; the current standard term is NAC.
  • The hosts argue that NAC is not just binary allow/deny — it also governs what a device can do once admitted, including VLAN assignment and access list enforcement.
  • Ethan distinguishes NAC from simple Wi-Fi password protection, arguing that NAC performs deeper evaluation of device identity and user credentials beyond just knowing a shared password.
  • For IoT and other non-802.1X devices, MAC Authentication Bypass is described as a practical fallback that allows admission based on known Ethernet MAC addresses rather than full 802.1X transactions.
  • Holly notes that RADIUS attribute mismatches are a common real-world misconfiguration issue, where policy logic fails because attribute names or formats don't match what the server actually returns.
  • Ethan argues that TACACS+ encrypts its entire payload — unlike RADIUS, which only encrypts the password — making it preferred by security-conscious administrators, though RADIUS remains dominant in NAC contexts.
  • The hosts explain that 'posture assessment' refers to evaluating specific device properties (OS version, antivirus status) to determine whether the device meets security requirements before or during network admission.
  • Ethan describes 'Universal ZTNA' as a vendor marketing evolution of NAC concepts, arguing it essentially means applying consistent security policies regardless of how a device connects — wired, wireless, or VPN.
  • The hosts argue that vendors frequently repackage legacy NAC capabilities inside larger security platforms, sometimes requiring hardware upgrades, which drives significantly larger purchases than customers originally anticipated.
  • Ethan states that Palo Alto Networks — despite being arguably the world's largest security company — does not have a dedicated NAC solution and instead integrates with third-party NAC products.
  • Holly observes that customer interest in NAC has grown exponentially in recent months, attributing it partly to the proliferation of IoT devices and increasing concern about unknown devices connecting to corporate networks.
  • Ethan notes that Microsoft's Network Policy Server (NPS) is technically available for free within Windows Server environments but is widely regarded as insufficiently robust for anything beyond basic NAC implementations.

Topics

Network Access Control (NAC) fundamentals802.1X port-based authenticationAAA: Authentication, Authorization, and AccountingRADIUS and TACACS+ protocolsExtensible Authentication Protocol (EAP)MAC Authentication BypassCaptive portals for guest accessDevice posture assessment and profilingMicro-segmentation and Zero Trust Network Access (ZTNA)NAC vendor landscape

Full transcript available for MurmurCast members

Sign Up to Access
View original source →

Get AI summaries like this delivered to your inbox daily

Get AI summaries delivered to your inbox

MurmurCast summarizes your YouTube channels, podcasts, and newsletters into one daily email digest.