Enforcement Points

Enforcement is the pivotal element of the whole NAC architecture, as all the access decisions are implemented here. NAC offerings from vendors tend to favour their own product lines: for example some traditional network companies implement access control on their layer2/3 switch (which may be a difficulty for users who have different brand switches). Here are the possible enforcement options currently available in the market:

• Inline: includes firewalls, layer 2/3 switches and purpose built appliances.
• 802.1X: IEEE standard for port based access control.
• DHCP: IP assignment restrictions.

Inline based enforcement options include firewalls, layer2/3 switches or purpose built dedicated inline appliances. Some vendor’s NAC solutions offer support for other vendor’s firewalls and switches for enforcement, which is welcome news for users who have a multi-vendor networking infrastructure.

Considerations for inline devices are:

• Bandwidth requirements: must support the traffic and provide future scalability, or else the inline device will become the choke point.
• High availability: redundancy is expected, in case the primary inline device fails (and the time associated with fail over).
• The degree of separation provided between the endpoints and the business critical systems inside the network.
• Reporting from the enforcement device: for both compliant and non complaint endpoints.

802.1X or port based network access control is a protocol based on Extensible Access Protocol (EAP), an IEEE standard. New generation layer 2/3 switches offer the possibility of segregating specific IP’s onto a separate VLAN, and imposing various access control lists on the VLAN traffic.


802.1X has three major components: the Supplicant, which is the person or endpoint attempting access, the Authenticator, which is the device that the Supplicant is attempting to connect to, and the Authentication server, which holds credentials. The process of gaining access is:

• The end user machine connects to the Authenticator, which can be a WLAN access point or a LAN switch.
• The Authenticator sets the port to ‘unauthorized’, which will only permit 802.1X traffic, and requests authentication data from the endpoint. The endpoint returns it’s authentication data to the Authenticator.
• The Authenticator knows the Authentication server, and forward to the request to authentication server (typically a RADIUS server). The radius server returns a pass/fail.
• Once the authentication is successful, the Authenticator opens the port for the supplicant to join the network.

DHCP based access restriction works on the premise that the endpoint user will play by the rules of the game. Purely DHCP based restriction may not prove to be effective as it is possible to bypass. DHCP assigns quarantined or unknown end points to an IP address that is restricted by ACL’s on switches/routers. Some of the considerations for the DHCP method of enforcement are:

• Is this secure enough for the environment? Requires a risk analysis for the given environment.
• Is the existing environment’s architecture suitable for this enforcement? Possibilities here include placing a NAC server inline with DHCP.
• Does it require a significant additional outlay for the equipment?

Policy and remediation service

Policy and remediation services are the last part of NAC picture, though the endpoint assessment is done against the policy set by administrator at the very start of NAC process. Once the assessment is carried out on the endpoint, and matched against the policy for compliance, the decision to restrict or allow the endpoint is taken. If the endpoint is restricted due to a failure to comply with one or more policies, the endpoint is quarantined.