Network Access Control Solution

Posted on 2008-10-08
Last Modified: 2013-11-29
Hi All,

I have done much research on Network Access Control (NAC) and will now ask the experts for their thoughts on how to help me in the way I would like to see NAC handled on my network.


Preventing unauthorised "anythings" from:

1. Getting an IP address from my DHCP server, Period.
2. Ensuring those users with enough smarts to add (an IP they found not in use) to their "anything" not being able to communicate to the network as it has not been authorised by the "gateway NAC Server" by the MAC being added by IT STaff.

Being "authorised" to me would mean the device would have its MAC added to a "list" and referenced or an agent installed on the workstations which poses an issue for printers, scanners and other misc legit devices.

My basic thinking would have been to

1. Add reservations using known MAC's
2. Add the rest of the IP's not in use to a Windows Box TCP/IP thus making them "in use" ??

A DHCP exclusion range would not stop a device connecting that had put in valid IP details.

Does anyone know of open source or commecial software that fits this bill? or a method?


Question by:AI-SYD
  • 4
  • 2
  • 2
  • +3

Assisted Solution

namol earned 50 total points
ID: 22675738
I always like to advertise FreeNac., if you're running Cisco gear. Also to play devil's advocate, why would you base your NAC control solely off of MAC address when it can be easily faked with various Windows programs or from the command line on mac/linux clients?
LVL 32

Assisted Solution

harbor235 earned 50 total points
ID: 22702646

You should deploy dot1x, it allows you to authenticate users/systems to access your network. Unauthorized users can be segemented to guest or unauthorized vlans where you can implement seperate security policies.

harbor235 ;}

Accepted Solution

clearacid earned 200 total points
ID: 22746516
I try to avoid dot1x and NACs that are in DHCP mode...... Here's why.....

dot1x is complicated if you are running different hardware - in my case we have all cisco equipment - but at my location we use a lot of unmanaged linksys workgroup switches to enable more ports in a room (very hard to manage......)

DHCP works well but - the workaround is to configure a static ip address which then bypasses your nac.

The solution I ended up getting was forescout NAC which has built in IPS/IDS and NAC all in the box.  

It runs on linux (so very very very customizable), you can push various scripts, perform host checks, features have virtual firewalling (can isolate a host within a segment from other hosts within the same segment), built in honeypots that integrate with IDS/IPS - very very low cost.......  

Also has usb storage device detection and ability to disable.

I've had it for about a month so far and it's been working really great.

Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).


Expert Comment

ID: 22746520
Also - forescout works by spanning all vlans....  I have a 6509 core switch and we just spanned all vlans and configured the NAC to check network traffic.

Author Comment

ID: 22753762
reviewing thanks for adding comments
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 22759942
Symantec's NAC solution is a good one, the software cost's but the windows DHCP NAC Component is actually thrown in for free, just install on your windows dhcp servers.
802.1x can be very effective, and there are some bypass's such as mac address cloning... but that causes some havoc on the network depending on what mac was cloned, a printer mac address being cloned wouldn't be a big deal, you could easily poison arp this way with no major side effects
Having a cert installed on the pc's is the best way to use 802.1x, and you can still allow "dumb" devices such as network printers and faxes to be access by either excluding them or by saying only this mac on this port.
So with 802.1x you can have the mac address alone be good enough, you can have the mac as well as a username/password authentication scheme, or you can have a cert be present in the 802.1x client and do a combination of the above.
The cisco feature "port security" is a MAC address only feature you can use also:
but "port secured" ports cannot be configured 802.1x, nor can trunks, span ports or etherchannel (unless etherchannel is removed first)

802.1x tries to address the static IP issue if you have no DHCP or you have a NAC-DHCP that only allows the known good MAC's to gain an IP.
Most NAC's try to help your administration needs by having you install a client on your known good hardware and from there you don't need to maintain a MAC white-list the client will vouch for the PC and still need the user to authenticate as they normally do, and some NAC's go further and do some checking on the host to see if its properly patched and has the latest AV dat's. And if not, the host isn't allowed to login on the normal subnet/vlan until those issues are remediated. And the host is allowed to connect to a subnet/vlan that only allows it to get dat's or allows it to get patches.

Cisco's nac is complex but works well with their equipment, Symantec's NAC requires synamtec AV (SEP [endpoint protection]they call it) so both are on the costly side. You can again, run 802.1x in a variety of ways, and you can disable/shutdown unused ports etc...

Expert Comment

ID: 22931710
If you don't want to use neither dot1x nor DHCP mode then I think what you need is either in line mode or SNMP/CLI mode.

The in line mode is to place NAC appliance between access switches & distribution layer any traffic that not comply with your policy will be blocked. because of the location of the appliance in the network and there is no agent, the solution will check only application traffic (it will not check application installed in a host). the best on this is Consentry

For SNMP/CLI mode, you will connect the NAC server in the core and give it a right permissions on all edge switches to configure switchs based in the policy. Bradford Networks is good in this field.

note that more than 50% of imelpmented NAC soultions are mixed by more than mode or vendor.


Author Comment

ID: 23667568
I will attempt to resolve this issue with in two weeks, still in progress and an important task.

Author Comment

ID: 23964542
Bump, any other input would be appreciated. thanks
LVL 38

Expert Comment

by:Rich Rumble
ID: 23964615
I've actually ditched Symantec in the 11th hour, their hardware started to fail all over the place, called customers after bugging and bugging them for testimonials, and no customer (10 in total) had anything good to say about the hardware. And no one was running NAC the way we thought it should work, which we came to find out is because symantec's nac can't run they way a NAC should. Cisco failed our Proof Of Concept as well, for different reasons.
We have tested in the past 5 days, a product that is working much better, and doesn't require 802.1x. As described above by me, 802.1x is a protocol that ensures folks can't assign static ip's to themselves without first authenticating with a username/password. Same for dhcp, they don't get a dhcp ip either until they have validated.
PacketFence, the product I think we will be going with, doesn't rely on 802.1x (which can be a costly affair if you have older network gear). PacketFence can ue 802.1x as well as SnmpTraps, which has the main benefit of not needing to have the latest and greatest switch gear. 
So far I'm impressed with this opensource offering, it is linux based, but using the VM-Player image it was very easy to setup.

Author Comment

ID: 23976394
I appreciate all responses so far and have aimed to have this questions closed in 1 month, I appreciate everyone patience but it takes time to test the suggestions made.

If you have a suggestion please submit it.



Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question