Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


NAC Overview


Network access control (NAC) is a set of policies, applied on a switch, to enforce security so that only trusted users and devices connected to the LAN of a campus or branch network is granted access to network resources. NAC also monitors and controls the activities of the users and devices after network access is granted.

You can implement NAC on a switch by configuring and deploying the port authentication profile on the switch ports..

An authentication profile defines the authentication method, fallback options, and other settings such as number of retries, maximum number of authentication requests that can be allowed for a supplicant, authentication server timeout, and so on, related to the communication between the switch and the supplicant (a user or device such as printer).

When you implement NAC in your network:

  1. A supplicant sends a request for network access to the switch, which acts as the internet gateway for a campus or branch network. A supplicant can be a computer (desktop or laptop), a tablet, a phone, a headless device such as a printer, camera, or industrial controls, or a wireless access point.

  2. The switch requests for credentials (username, password) of the supplicant, which the supplicant provides.

  3. The switch validates the supplicant credentials by using the RADIUS server (authentication server).

    If the supplicant credentials are valid, the switch grants access to the campus or branch network through one of its ports. Based on the firewall filters configured, the switch enforces polices on the supplicant to restrict access to the network resources.

    If the switch is unable to validate the supplicant credentials, the supplicant is denied network access completely or is restricted to access only the internet.

  4. Detailed session records including user and device details, session types, and service details are maintained in the RADIUS accounting server for troubleshooting, class-of-service (CoS) control, and billing purposes.

Types of Authentication

CSO allows you to configure the following types of authentication on the switch:

  • 802.1x—In this type of authentication, the supplicant is authenticated based on the credentials provided.

    You can configure the following three modes for authenticating the supplicant in a LAN or WLAN when using the 802.1x authentication:

    • Single: The switch authenticates only the first supplicant requesting network access, in a LAN. All other supplicants in the LAN that connect later to the port are allowed full access without any further authentication, based on the first supplicant’s authentication.

    • Single Secure: Allows only one supplicant in a LAN to connect to a port. No other supplicant in the LAN is allowed to connect until the first supplicant logs out.

    • Multiple: Allows multiple supplicants in a LAN to connect to a port at the same time. Each supplicant is authenticated individually.

  • MAC address authentication—In this authentication, the switch sends the MAC address of the supplicant, instead of the credentials to the RADIUS server for authentication. This type of authentication is used when the switch does not receive the authentication request packet from the supplicant. This method is also used by users (contractors or guests) and devices such as printers, cameras, and industrial controls that do not have a user interface to provide credentials.

When a supplicant is not authenticated because the RADIUS server is inaccessible or the supplicant has provided incorrect credentials, you can configure the switch to:

  • Allow network access.

  • Deny network access

  • Move the supplicant to a specific VLAN (server-fail VLAN when the RADIUS server is inaccessible and server-reject VLAN when the supplicant’s credentials are rejected by the RADIUS server)

If the RADIUS server is unreachable when reauthenticating a supplicant during a session, the supplicant is allowed access based on prior authentication. However, a new supplicant requesting network access are denied network access.

You can configure a guest VLAN on the switch to provide limited network access (only to the Internet) for:

  • Guests and contractors

  • Devices that are not 802.1X enabled and on which the MAC RADIUS authentication is not configured or supported.

For detailed information about network access control on an EX Series switch, see User Access and Authentication Feature Guide.