defensiva
NAC
802.1X
network access control

Network Access Control (NAC) and 802.1X Explained

What NAC is and how 802.1X works: supplicant, authenticator, RADIUS, EAP methods, MAB, posture, dynamic VLANs and the vendor landscape (ISE, ClearPass).

SecraJuly 6, 202611 min read

Network Access Control (NAC) is the layer that decides which device may connect to the corporate network and with what privileges, before that device reaches a single internal resource. Its technical engine is the IEEE 802.1X standard, which authenticates every device at the switch port or wireless access point it plugs into. Put differently: NAC is what turns Zero Trust from an architecture on paper into a policy that is actually enforced across the wired and wireless LAN. This article explains what NAC is, how 802.1X works, the EAP methods, the MAB fallback, posture assessment, guest and BYOD onboarding, dynamic VLAN assignment, and the vendor landscape.

NAC and 802.1X at a glance

  • NAC is the admission discipline: it authenticates, evaluates, and authorises the device before granting network access.
  • 802.1X is the port-based access control mechanism that makes that admission possible.
  • Three roles are involved: supplicant (the device), authenticator (the switch or wireless controller), and RADIUS server.
  • EAP methods (EAP-TLS, PEAP, TEAP) define how identity is proven; MAB covers devices with no supplicant.
  • NAC is the Zero Trust enforcement layer on the LAN and provides direct evidence for NIS2, GDPR article 32, and the Spanish ENS.

What is Network Access Control (NAC)

NAC answers a question the perimeter firewall does not resolve: who and what is connected inside your network. A firewall filters traffic between zones, but once a laptop, a printer, or an IoT device gets a physical port or a wireless association, it is already in. NAC closes that gap: it requires the device to prove its identity and its health before it receives a usable IP address and access to internal segments.

A mature NAC deployment covers four functions: authentication of the user or device, posture assessment (patches, antivirus, disk encryption), authorisation in the form of a VLAN, ACL, or segment tag, and continuous visibility of everything connected. That combination stops an unmanaged machine or a rogue device from plugging into a meeting-room jack and landing on the same flat network as the servers. It is the natural complement to network and systems hardening, which shrinks each host's attack surface but does not control who comes in through the port.

How 802.1X works: supplicant, authenticator, and RADIUS

IEEE 802.1X (current revision 802.1X-2020) is a standard for port-based network access control. It keeps the port in an "unauthorised" state, where only authentication traffic flows, until the device proves its identity. Only then does the port open to normal traffic. Three roles take part:

  • Supplicant: the client software on the device. On Windows it is Wired/WLAN AutoConfig, on Linux wpa_supplicant, on macOS the EAPOL subsystem. It presents the credentials.
  • Authenticator: the access switch or wireless LAN controller (WLC). It blocks the port and relays messages between supplicant and server. It is also called the NAS (Network Access Server).
  • RADIUS server: it makes the actual decision. It validates credentials against a directory (Active Directory, LDAP) or a PKI. Examples: Cisco ISE, Aruba ClearPass, FreeRADIUS, or Microsoft NPS.

The dialogue between supplicant and authenticator travels over EAPOL (EAP over LAN). The authenticator re-encapsulates that EAP inside RADIUS (RFC 2865) toward the server. Identity is therefore verified by a centralised component, which ties network access to your identity and access management (IAM).

The authentication flow

  1. The device connects to the port or associates with the SSID. The port is unauthorised.
  2. The authenticator sends an EAP-Request/Identity and the supplicant replies with its identity.
  3. The authenticator forwards the request to RADIUS. The EAP method is negotiated and, where applicable, a TLS tunnel is established.
  4. The server validates credentials or certificate and answers Access-Accept or Access-Reject.
  5. On an Access-Accept, RADIUS includes the authorisation attributes: VLAN, downloadable ACL (dACL), or segment tag.
  6. The authenticator opens the port on the assigned VLAN. The device gets DHCP and reaches only what the policy allows.

EAP methods: EAP-TLS, PEAP, and TEAP

EAP (Extensible Authentication Protocol) is the framework that carries the specific authentication method, and choosing it defines the robustness of the whole deployment:

  • EAP-TLS: mutual authentication with X.509 certificates on both client and server. It is the strongest method because it does not rely on passwords, but it requires a public key infrastructure (PKI) that issues and revokes certificates. It is the de facto standard in Zero Trust environments.
  • PEAP (with MSCHAPv2): builds a TLS tunnel validating only the server certificate, then authenticates the user with domain credentials inside it. It is easier to deploy, but it rests on passwords and inherits their exposure to phishing and reuse.
  • TEAP (RFC 7170): a modern tunneled EAP that allows EAP chaining, meaning it authenticates the machine and the user in a single session. This is key to telling a corporate laptop with a valid user apart from a personal device using the same credentials.

The practical recommendation: EAP-TLS or TEAP for the managed fleet, and reserve PEAP only where the PKI does not yet reach.

MAB: the fallback for devices with no supplicant

Printers, IP cameras, phones, access readers, and much of the IoT estate carry no 802.1X supplicant. For them there is MAB (MAC Authentication Bypass): the switch captures the device's MAC address and sends it to RADIUS as the identity. If the MAC is on an authorised list, the port opens.

The problem is obvious: a MAC address is trivially forgeable, a direct spoofing vector. That is why MAB must never be used on its own. It is combined with profiling to confirm that the device really behaves like what it claims to be, and it is confined to restricted VLANs with strict ACLs. It is a pragmatic concession to the reality of the estate, not strong authentication.

Profiling, posture, and dynamic VLAN assignment

A serious NAC does not just say yes or no. It adds two layers of intelligence and one of enforcement:

Profiling. The system classifies each device by cross-referencing passive signals: DHCP fingerprint, CDP and LLDP, SNMP queries to the switch, and HTTP user-agent. This tells a camera apart from a Windows laptop even when both use MAB, and it flags when an authorised printer MAC starts behaving like a Windows host, a classic sign of impersonation.

Posture assessment. Before granting full access, an agent (Cisco ISE Posture, ClearPass OnGuard) or an agentless check verifies the endpoint's state: active antivirus, up-to-date patches, disk encryption. A device that fails is steered to a remediation VLAN with access only to update servers. This is the same state verification that Zero Trust demands, applied at admission.

Dynamic VLAN assignment. Authorisation is delivered through standard RADIUS attributes (RFC 3580): Tunnel-Type with value 13 (VLAN), Tunnel-Medium-Type with value 6 (802), and Tunnel-Private-Group-ID with the VLAN identifier. The same physical port places a guest on an isolated VLAN, an employee on the corporate one, and an IP camera on the OT one, with no re-cabling. On top of that you apply dACLs (per-session downloadable ACLs) or segment tags (TrustSec SGT) for fine-grained microsegmentation. When something changes mid-session, CoA (Change of Authorization, RFC 5176) instructs the switch to re-authenticate or quarantine the port without physically disconnecting the device.

Guest and BYOD onboarding

Two flows concentrate much of NAC's operational value:

  • Guests: a captive portal with self-registration or sponsorship, temporary credentials, and confinement to an Internet-only VLAN with no visibility of the internal network.
  • BYOD: a guided provisioning flow that installs the network profile and, in EAP-TLS deployments, issues a device certificate via SCEP or EST. The personal device is authenticated by certificate and segmented by policy, with no access to managed-fleet resources.

Deployment modes: monitor, low-impact, and closed

The most expensive mistake in NAC is enabling 802.1X in closed mode on day one and cutting half the workforce off the network. A realistic rollout is phased:

  1. Monitor mode (open): 802.1X logs who would pass and who would not, but blocks nothing. It serves to inventory and tune the policy with no impact.
  2. Low-impact mode: a pre-auth ACL lets essential services through (DHCP, DNS, PXE) while the rest starts to be blocked.
  3. Closed mode: full enforcement. With no valid authentication, there is no network.

It should be paired with hardening of the switch itself (port-security, DHCP snooping, Dynamic ARP Inspection) so the access infrastructure is not the weak link.

Vendor landscape: ISE, ClearPass, Forescout, FortiNAC

The NAC market in 2026 is split across platforms with different approaches. The choice depends on the existing network stack and on how much agentless coverage is required.

  • Cisco ISE: the natural option in Cisco networks. Very strong in TrustSec (SGT), posture, and CoA, with a demanding operation.
  • Aruba ClearPass: vendor-agnostic, strong in multivendor environments and in BYOD and guest onboarding.
  • Forescout: its hallmark is agentless visibility and deep device discovery, highly valued in heavy IoT and OT environments.
  • FortiNAC: integrated into the Fortinet ecosystem, attractive when FortiGate is already running at the perimeter.
  • PacketFence: a mature open-source alternative with 802.1X, captive portal, and CoA, useful to avoid per-endpoint licensing.

NAC, Zero Trust, and compliance (NIS2, GDPR art. 32, ENS)

NAC is the piece that lands Zero Trust at the network layer: every device is authenticated and authorised per session, with no implicit trust for being "inside". That control also produces direct evidence for regulation: NIS2 (article 21) requires access control and asset management; GDPR article 32 calls for appropriate technical measures, and knowing what connects to the network that processes personal data is one of the most basic; the Spanish ENS (Royal Decree 311/2022) covers access control (OP.ACC) and network segmentation. A well-run NAC turns those requirements into auditable logs of who, with which device, and with what posture accessed each segment.

Frequently asked questions

What is NAC in networking?

NAC (Network Access Control) is the set of technologies and policies that control which devices may connect to a network and at what level of access. It authenticates the device, assesses its security state, and authorises it to a specific segment before letting it reach internal resources.

What is the difference between NAC and 802.1X?

802.1X is the port-based authentication standard that makes access control possible; NAC is the complete solution that uses 802.1X (or MAB) and adds profiling, posture, guest portals, BYOD, and dynamic response. 802.1X is the engine, NAC is the full vehicle.

Which EAP method should I use?

For managed devices, EAP-TLS with certificates, or TEAP if you need to chain machine and user authentication. PEAP-MSCHAPv2 is acceptable as a transition, but because it relies on passwords it is weaker and should be migrated to certificates once the PKI is available.

How are printers and IoT devices authenticated without 802.1X?

With MAB (MAC Authentication Bypass), which authorises the port based on the MAC address. Since the MAC can be spoofed, MAB must always be combined with profiling and with confinement to restricted VLANs to limit the risk.

Does NAC replace the firewall?

No. NAC controls admission to the network and its internal segmentation; the firewall filters traffic between zones and toward the Internet. They are complementary layers of defence in depth, not alternatives.

Network access audit with Secra

At Secra we review NAC and 802.1X deployments with a focus on what really matters: that the policy holds up against an attacker, not just that it "works". Our infrastructure audit includes a review of the 802.1X design (EAP methods, MAB usage, VLAN and ACL segmentation), bypass testing at the access layer, validation of the posture policy, and verification of switch and controller hardening. The deliverable documents prioritised findings and provides the access control evidence required by NIS2 and GDPR article 32. If you are deploying 802.1X or want to validate the one you already have, contact Secra and we will set up an initial no-commitment session.

About the author

Secra Solutions team

Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

Share article