NAC Overview

Network access control (NAC) is a set of policies, applied on a switch, to enforce security so that only trusted users and devices connected to the LAN of a campus or branch network is granted access to network resources. NAC also monitors and controls the activities of the users and devices after network access is granted.

You can implement NAC on a switch by configuring and deploying the port authentication profile on the switch ports..

An authentication profile defines the authentication method, fallback options, and other settings such as number of retries, maximum number of authentication requests that can be allowed for a supplicant, authentication server timeout, and so on, related to the communication between the switch and the supplicant (a user or device such as printer).

When you implement NAC in your network:

  1. A supplicant sends a request for network access to the switch, which acts as the internet gateway for a campus or branch network. A supplicant can be a computer (desktop or laptop), a tablet, a phone, a headless device such as a printer, camera, or industrial controls, or a wireless access point.

  2. The switch requests for credentials (username, password) of the supplicant, which the supplicant provides.

  3. The switch validates the supplicant credentials by using the RADIUS server (authentication server).

    If the supplicant credentials are valid, the switch grants access to the campus or branch network through one of its ports. Based on the firewall filters configured, the switch enforces polices on the supplicant to restrict access to the network resources.

    If the switch is unable to validate the supplicant credentials, the supplicant is denied network access completely or is restricted to access only the internet.

  4. Detailed session records including user and device details, session types, and service details are maintained in the RADIUS accounting server for troubleshooting, class-of-service (CoS) control, and billing purposes.

Types of Authentication

CSO allows you to configure the following types of authentication on the switch:

When a supplicant is not authenticated because the RADIUS server is inaccessible or the supplicant has provided incorrect credentials, you can configure the switch to:

If the RADIUS server is unreachable when reauthenticating a supplicant during a session, the supplicant is allowed access based on prior authentication. However, a new supplicant requesting network access are denied network access.

You can configure a guest VLAN on the switch to provide limited network access (only to the Internet) for:

For detailed information about network access control on an EX Series switch, see User Access and Authentication Feature Guide.