An introduction to network access control (NAC)

For decades, network access control (NAC) standards such as IEEE 802.1X (which defines resources that can be shared over a network using ports) and WPA (which enforces access control and data encryption for wireless networks) have helped to protect devices and users.

Today, however, organizations face a new set of challenges that traditional NAC strategies are not always well-suited to handle. For example, the rise of IoT devices, which sometimes are not supported by traditional NAC protocols, as well as the proliferation of “shadow” devices, require new approaches to NAC.

This article defines NAC, explains the benefits and limitations of NAC, and discusses best-practices for optimizing NAC strategies on modern networks.

What is network access control?

Network access control, or NAC, is the set of tools, processes and protocols that govern access to network-connected resources. It is a multifaceted discipline that involves access control solutions for different types of resources, including conventional PCs and servers, and also network routers, IoT devices and more.

NAC also applies to data that travels over the network, and the resources it helps to secure may be physical (as in the case of hardware routers or servers) or software-defined, virtual resources (such as a software firewall or a virtual machine).

In addition, NAC extends beyond access control narrowly defined to include device identification, threat monitoring and policy-based management of access control for networked resources. It also addresses the security requirements of both wired and wireless networks, although, as we discuss below, NAC considerations sometimes vary between these two contexts.

When/why do you need network access control?

Whether you have a small network with just a handful of devices or a sprawling enterprise network that includes thousands of devices, NAC is a critical component of your overall security strategy, for several reasons.

Unauthorized devices

It’s easy to add devices to a network, but not always so easy to track them. As a result, organizations run a high risk of having unauthorized devices on their networks.

Employees may bring personal computers or phones to work and connect them to the network without properly registering them under the terms of your company’s BYOD policy, for example. Or, an IT team might set up devices for testing purposes and then forget about them, even though they are still running. Resources like these become “shadow” IoT devices that are connected to your network but not properly managed.

NAC helps to prevent unauthorized devices from being joined to your network in the first place, while also identifying those that exist so that you can take them offline or make sure they are secured properly.

Outsider access

Large organizations regularly work with contractors, partners and third-party suppliers, and must sometimes grant these external stakeholders access to their network. Without an effective NAC strategy, it’s very difficult to guarantee that these outside devices are properly secured and don’t become a vector for attack into your network. It’s also difficult to ensure that the devices are disconnected when they are no longer needed.

Data privacy laws

Government agencies and industry groups have introduced increasingly strict regulations and data privacy laws that govern which types of data are collected and stored by an organization. Without NAC, companies lack visibility into the types of resources that exist on their network and whether special compliance rules may apply to them.

For these reasons and more, organizations seeking to stay ahead of security challenges and regulatory issues must develop an effective NAC strategy.

NAC capabilities and limitations

NAC is a powerful component within a broader cybersecurity strategy. However, NAC is not a panacea. It’s important to understand which security risks NAC can and cannot address.

NAC capabilities

NAC excels at addressing several traditional types of security needs:

  • Conventional network visibility: NAC can help identify which devices exist on your network, who has access to them and how they can share resources with each other.

  • Endpoint security technology: NAC helps ensure that network endpoints—meaning physical or virtual resources that can send or receive data over the network—are secured against known vulnerabilities.

  • Authentication: NAC policies ensure that users and devices authenticate properly before they are allowed to use a network by, for example, preventing a computer from joining a wireless network unless its user enters the right passphrase.

  • Network security enforcement: NAC can identify instances where devices are not compliant with authentication or security policies.

NAC limitations

Despite these strengths when it comes to managing authentication for users and known devices, NAC is subject to several limitations in other respects.

Low visibility into IoT and unmanaged devices

One of the major limitations of NAC is that it is effective in managing security risks only for known devices, and devices that are associated with human users (like a PC or server). A device that is joined to the network and has no specific user or group of users associated with it, such as an IoT sensor, is more difficult to manage via NAC. These devices may not support traditional authentication protocols or security certificates due to hardware capacity limitations or a lack of user input.

As a result, organizations often default to trusting these devices blindly and excepting them from standard NAC rules.

Network access control for wired networks

While access to wireless networks is typically secured using protocols like WPA, wired networks often have no such controls in place. They often assign an IP address via DHCP and give full connectivity to any device that is plugged in (and even if they don’t assign an IP address automatically, the device or user can configure one manually).

This approach is convenient because it eliminates the need to manage access credentials for wired devices and users. Organizations sometimes assume that the security risks are low because only users with physical access to their infrastructure can plug in devices. The reality, however, is that unsecured wired networks are prime vectors for shadow devices to enter an organization’s infrastructure.

Monitoring for threats post-access

Because NAC focuses on controlling access to networks, it is effective only for protecting against threats that are external to a network. It doesn’t detect breaches after they occur, or protect against “insider” threats that originate on an already-authenticated device.

Ability to establish policies for devices

Unmanaged, non-user devices, such as IoT hardware, often rely on special communications protocols that are not supported by standard NAC authentication policies or tools. Faced with this challenge, organizations end up choosing between granting these devices an exception from NAC rules, or building very complex policies to accommodate them. Both approaches are far from ideal.

NAC use cases

Although traditional NAC is subject to certain limitations, NAC strategies can effectively support security needs for modern networks and workloads by taking advantage of next-generation tools or processes. Following are some examples of how NAC can address common challenges faced by organizations today.

NAC for incident response

Although NAC doesn’t detect threats post-access, NAC data can be incorporated into security monitoring platforms that use artificial intelligence (AI) or machine learning (ML) to detect threats. For example, by collecting data about normal access request patterns and analyzing it for anomalies, security monitoring tools can discover unauthorized devices that were mistakenly granted access to the network. In turn, the tools can generate alerts so that engineers can react.


NAC can mitigate risks associated with BYOD policies—which allow users to bring their own devices onto a company’s network—by using a mix of policy management, profiling, and access control to safeguard networks from unmanaged devices. For instance, an NAC tool could require users of new devices to complete a form in order to register their device before it is granted access to the network. A major limitation here, however, is that this approach won’t work for non-user devices.

NAC for IoT

On IoT networks that include hundreds or thousands of devices, NAC helps to manage inventory so that organizations have continuous visibility into which IoT devices exist and when they go online and offline. In addition, NAC tools allow teams to “lock down” IoT devices by enforcing a policy of least privilege or blocking devices from the internal network until they meet the criteria of the organization’s security policy.

NAC for medical devices

Medical devices that collect data about patients or, in some cases, are implanted inside them, can be used as gateways to collect sensitive data, such as protected health information or financial systems. NAC can mitigate these threats by segmenting medical devices from the rest of the network in order to minimize the attack surface. It can also ensure that medical devices are connected only when necessary, which also helps to minimize opportunity for attack.

In short, NAC can play a powerful role in a cybersecurity strategy, but it should never be the be-all, end-all of your cybersecurity strategy. You must instead understand and prepare for its limitations, especially when it comes to unmanaged devices and devices that don’t have human users.


Optimize your NAC deployment with Ordr

NAC is one effective tool in your cybersecurity toolbox, but to get the most out of it, you need to plug the visibility holes in your network. You must be able to identify and address risks such as shadow devices that are connected to the network without authorization, devices that are intermittently connected and therefore not always visible through conventional management tools, and IoT devices that can’t be secured using traditional authentication protocols.

Ordr Systems Control Engine (SCE) provides the visibility you need to achieve these goals. Ordr SCE complements NAC by continuously identifying unmanaged, non-user and IoT devices. It fully maps every microscopic device detail and its context at massive scale, using machine learning to inspect and baseline the behavior of every device on your network on a continuous basis. Ordr also detects exposed vulnerabilities and delivers intricate risk scores for priority attention and mitigation.

These features empower organizations to address the security risks that their NAC solutions don’t detect or can’t manage. In a world where BYOD practices and IoT networks are on the rise, Ordr SCE helps to plug critical gaps in your security strategy.