Skip to content
Erik Witkop August 21 2023 4 min read

Network Admission Control 101: Simplifying Network Security in Today's Complex Environment

In the not-so-distant past, networks were relatively simple, resembling a fortified castle with all the sensitive data residing within, protected by a firewall or two. Users had one straightforward way to access that data. Fast forward to today, and networks have evolved into massive football stadiums with thousands of devices and a diverse mix of employees, contractors, and guest users all seeking access at different levels. Securing such complex networking environments with various types of networks, including wired, wireless, and VPN, requires a robust solution - Network Admission Control (NAC).


What is Network Admission Control (NAC)?

The term NAC has been around for over two decades, and its concept is refreshingly simple - authenticate and authorize any device, whether human or non-human, before it gains entry to the network. Whether the device connects via wired, wireless, or VPN, NAC ensures that no unauthorized device gets through.

The 4 W's and an H of NAC

To help clients understand the key aspects of NAC, I presented a slide deck titled, "The 4 W's and an H." These W's stand for Who, What, Where, When, and How.
Who: Identifying the user.
What: Determining the type of device attempting to access the network.
Where: Locating the device, whether it's connected to a wired switch or via an 802.11 integration to triangulate the user's position.
When: Specifying the time period during which the user or device is authorized to access the network.
How: Defining the method of network access, be it wired, wireless, or VPN.

RADIUS: Enabling Efficient NAC Solutions

The values required for NAC solutions can be accessed through RADIUS (Remote Authentication Dial-In User Service). RADIUS packets contain crucial information, such as Service-Type, NAS-Port-Type, and Event-Timestamp, which allows NAC appliances to parse and authorize sessions effectively. RADIUS's extensibility through Vendor Specific Attributes (VSA) provides countless possibilities to control the authentication and authorization process for each session. Since RADIUS is a mature protocol adhering to RFC 2865 standards, NAC solutions can seamlessly integrate with different network and security products that comply with the same standards.

Challenges in NAC: Profiling Non-Human Devices

While authenticating users with supplicant software is straightforward, a more complex challenge arises when dealing with non-human devices lacking supplicants, such as IP cameras or medical equipment like saline pumps. How do we securely authenticate these devices without relying on a human operator to enter a user/password pair? The solution lies in proper device profiling.

Endpoint Profiling: The Key to Secure Authentication

Endpoint profiling involves gathering data points from a device and accurately identifying its Operating System (OS) and version. NAC solutions achieve this by analyzing various factors like MAC addresses, DHCP values, NMAP results, SNMP OIDs, and HTTP User-Agent strings. Once the device is profiled, the NAC solution can create precise authorization rules based on specific device characteristics. However, challenges may arise when the profiling lacks sufficient protocol-based information or when the NAC solution lacks a specific device profile. In such cases, administrators might need to simplify the rules to ensure secure access.

Vendor Specialization and Architectures

Different NAC vendors specialize in various areas of profiling, such as medical devices or IoT devices. Depending on your environment, extensive research and testing with actual devices in a lab are essential to ensure accurate endpoint profiling.
Additionally, NAC vendors offer different architectural approaches. For instance, Cisco's ISE can gather profile data globally without additional appliances at each location, making it a scalable solution. In contrast, ForeScout's architecture requires local appliances at each location, which can be costly. Performance and scalability of profiling protocols can vary across vendors and products, so it's crucial to evaluate their performance and scale numbers.

Integrating NAC Solutions: Trusting the Experts

Deploying NAC solutions can be complex and time-consuming. That's where experienced integrators like Iron Bow come in. With a proven track record, Iron Bow has designed and implemented NAC solutions across diverse networks worldwide. Enforcing NAC policies on wired, wireless, and VPN connections, Iron Bow ensures endpoint integrity through periodic and real-time posture assessments. Trusting experts in the NAC field is crucial to successfully navigate the challenges and complexities of securing modern networks.
Iron Bow has designed and implemented NAC solutions across Federal and Civilian networks across the globe. Designing complex networks for more than 100,000 endpoints, Iron Bow can enforce NAC policies on wired, wireless, and VPN across the enterprise. Iron Bow designs solutions that ensure the integrity of the endpoint through periodic and real-time posture assessments of the endpoint before they are granted access to the network. Ultimately, deploying a NAC solution can be complicated and time consuming. Trust in an experienced integrator with a proven track record around NAC. 
Ready to see for yourself? Reach out to our team of cyber experts to get started.

Erik Witkop

Erik is the Tech Director covering DOD at Iron Bow. Erik’s primary responsibility is to help Federal Agencies secure their data at rest and data in transit, wherever it may live. Erik worked at Cisco for a total of 12 years, 8 of which were within the ISE Business Unit where he was a QA lead for ISE profiling. He holds a Masters in Cybersecurity from UMGC as well as two CCIE’s and a CISSP certification. He also has a patent for software that he wrote while working in SecOps at Sprint’s ISOC. Erik is an avid guitarist and attempts to play ice hockey three times a week.