What is the difference between NAC and firewall-based segmentation?

NAC controls network access at the point of connection — deciding which VLAN a device joins and enforcing conditions at onboarding. Firewall-based segmentation controls traffic between segments — defining which traffic can flow across zone boundaries. Both mechanisms are needed: NAC places devices in the right zone at connection time, firewalls enforce what traffic can cross between zones. ORDR provides the device classification data that drives policy for both.

Definition

NAC (Network Access Control)

A solution that controls which devices can access the network and enforces connectivity conditions. ORDR integrates with NAC systems to automatically enforce segmentation policies based on device identity.

What is NAC (Network Access Control)?

Network Access Control (NAC) is a security solution that controls which devices are permitted to connect to a network and enforces conditions on network access. At its simplest, NAC can be a basic MAC address allowlist. At its most sophisticated, it evaluates device identity, compliance posture, and certificate validity before granting access, assigning devices to appropriate VLANs or segments based on their identity and risk profile.

For IoT and OT environments, NAC serves as the primary network enforcement mechanism for device identity-based segmentation policies. When an IoT device connects, NAC identifies it (through MAC OUI, certificate, or RADIUS attributes), applies the appropriate VLAN and ACL policy for that device type, and restricts it to the network segments and destinations appropriate for its classification. This network-layer enforcement operates regardless of whether the device has any native authentication capability.

The challenge is that NAC was designed around assumptions that IT devices meet: 802.1X authentication capability, certificate infrastructure participation, and predictable onboarding workflows. Most IoT, OT, and IoMT devices cannot participate in 802.1X authentication. NAC deployments that require 802.1X authentication as a condition of access will either block legitimate IoT devices or require so many exemptions that the NAC policy becomes ineffective. Effective IoT NAC relies on agentless device classification to determine access policy without requiring device-side authentication.

Key Facts

ORDR integrates with leading NAC platforms via pxGrid, REST API, and RADIUS CoA for automated policy enforcement
NAC without IoT classification assigns unknown devices to a default policy — often too permissive or too restrictive
802.1X authentication is unsupported by over 70% of IoT and OT devices
NAC + ORDR classification enables per-device-type network access policies without requiring device-side authentication

How ORDR Addresses NAC (Network Access Control)

ORDR integrates with NAC platforms including Cisco ISE, Aruba ClearPass, and Forescout to provide device classification data that informs NAC policy decisions. When a device connects, ORDR's classification tells the NAC platform what the device is — so it can be assigned to the appropriate VLAN and access policy — without requiring 802.1X authentication or agent installation on the device.

See ORDR in action

Frequently Asked Questions

Back to Glossary

Complete visibility across your entire attack surface.

ORDR unifies IT, IoT, and OT asset intelligence so your team can see—and act on—what matters most.

REQUEST A DEMO Platform Overview