Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Network Access Control Solution

Posted on 2008-10-08
Medium Priority
Last Modified: 2013-11-29
Hi All,

I have done much research on Network Access Control (NAC) and will now ask the experts for their thoughts on how to help me in the way I would like to see NAC handled on my network.


Preventing unauthorised "anythings" from:

1. Getting an IP address from my DHCP server, Period.
2. Ensuring those users with enough smarts to add (an IP they found not in use) to their "anything" not being able to communicate to the network as it has not been authorised by the "gateway NAC Server" by the MAC being added by IT STaff.

Being "authorised" to me would mean the device would have its MAC added to a "list" and referenced or an agent installed on the workstations which poses an issue for printers, scanners and other misc legit devices.

My basic thinking would have been to

1. Add reservations using known MAC's
2. Add the rest of the IP's not in use to a Windows Box TCP/IP thus making them "in use" ??

A DHCP exclusion range would not stop a device connecting that had put in valid IP details.

Does anyone know of open source or commecial software that fits this bill? or a method?


Question by:AI-SYD
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +3

Assisted Solution

namol earned 200 total points
ID: 22675738
I always like to advertise FreeNac., if you're running Cisco gear. Also to play devil's advocate, why would you base your NAC control solely off of MAC address when it can be easily faked with various Windows programs or from the command line on mac/linux clients?
LVL 32

Assisted Solution

harbor235 earned 200 total points
ID: 22702646

You should deploy dot1x, it allows you to authenticate users/systems to access your network. Unauthorized users can be segemented to guest or unauthorized vlans where you can implement seperate security policies.

harbor235 ;}

Accepted Solution

clearacid earned 800 total points
ID: 22746516
I try to avoid dot1x and NACs that are in DHCP mode...... Here's why.....

dot1x is complicated if you are running different hardware - in my case we have all cisco equipment - but at my location we use a lot of unmanaged linksys workgroup switches to enable more ports in a room (very hard to manage......)

DHCP works well but - the workaround is to configure a static ip address which then bypasses your nac.

The solution I ended up getting was forescout NAC which has built in IPS/IDS and NAC all in the box.  

It runs on linux (so very very very customizable), you can push various scripts, perform host checks, features have virtual firewalling (can isolate a host within a segment from other hosts within the same segment), built in honeypots that integrate with IDS/IPS - very very low cost.......  

Also has usb storage device detection and ability to disable.

I've had it for about a month so far and it's been working really great.

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!


Expert Comment

ID: 22746520
Also - forescout works by spanning all vlans....  I have a 6509 core switch and we just spanned all vlans and configured the NAC to check network traffic.

Author Comment

ID: 22753762
reviewing thanks for adding comments
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 800 total points
ID: 22759942
Symantec's NAC solution is a good one, the software cost's but the windows DHCP NAC Component is actually thrown in for free, just install on your windows dhcp servers.
802.1x can be very effective, and there are some bypass's such as mac address cloning... but that causes some havoc on the network depending on what mac was cloned, a printer mac address being cloned wouldn't be a big deal, you could easily poison arp this way with no major side effects
Having a cert installed on the pc's is the best way to use 802.1x, and you can still allow "dumb" devices such as network printers and faxes to be access by either excluding them or by saying only this mac on this port.
So with 802.1x you can have the mac address alone be good enough, you can have the mac as well as a username/password authentication scheme, or you can have a cert be present in the 802.1x client and do a combination of the above.
The cisco feature "port security" is a MAC address only feature you can use also:
but "port secured" ports cannot be configured 802.1x, nor can trunks, span ports or etherchannel (unless etherchannel is removed first)

802.1x tries to address the static IP issue if you have no DHCP or you have a NAC-DHCP that only allows the known good MAC's to gain an IP.
Most NAC's try to help your administration needs by having you install a client on your known good hardware and from there you don't need to maintain a MAC white-list the client will vouch for the PC and still need the user to authenticate as they normally do, and some NAC's go further and do some checking on the host to see if its properly patched and has the latest AV dat's. And if not, the host isn't allowed to login on the normal subnet/vlan until those issues are remediated. And the host is allowed to connect to a subnet/vlan that only allows it to get dat's or allows it to get patches.

Cisco's nac is complex but works well with their equipment, Symantec's NAC requires synamtec AV (SEP [endpoint protection]they call it) so both are on the costly side. You can again, run 802.1x in a variety of ways, and you can disable/shutdown unused ports etc...

Expert Comment

ID: 22931710
If you don't want to use neither dot1x nor DHCP mode then I think what you need is either in line mode or SNMP/CLI mode.

The in line mode is to place NAC appliance between access switches & distribution layer any traffic that not comply with your policy will be blocked. because of the location of the appliance in the network and there is no agent, the solution will check only application traffic (it will not check application installed in a host). the best on this is Consentry

For SNMP/CLI mode, you will connect the NAC server in the core and give it a right permissions on all edge switches to configure switchs based in the policy. Bradford Networks is good in this field.

note that more than 50% of imelpmented NAC soultions are mixed by more than mode or vendor.


Author Comment

ID: 23667568
I will attempt to resolve this issue with in two weeks, still in progress and an important task.

Author Comment

ID: 23964542
Bump, any other input would be appreciated. thanks
LVL 38

Expert Comment

by:Rich Rumble
ID: 23964615
I've actually ditched Symantec in the 11th hour, their hardware started to fail all over the place, called customers after bugging and bugging them for testimonials, and no customer (10 in total) had anything good to say about the hardware. And no one was running NAC the way we thought it should work, which we came to find out is because symantec's nac can't run they way a NAC should. Cisco failed our Proof Of Concept as well, for different reasons.
We have tested in the past 5 days, a product that is working much better, and doesn't require 802.1x. As described above by me, 802.1x is a protocol that ensures folks can't assign static ip's to themselves without first authenticating with a username/password. Same for dhcp, they don't get a dhcp ip either until they have validated.
PacketFence, the product I think we will be going with, doesn't rely on 802.1x (which can be a costly affair if you have older network gear). PacketFence can ue 802.1x as well as SnmpTraps, which has the main benefit of not needing to have the latest and greatest switch gear. 
So far I'm impressed with this opensource offering, it is linux based, but using the VM-Player image it was very easy to setup.

Author Comment

ID: 23976394
I appreciate all responses so far and have aimed to have this questions closed in 1 month, I appreciate everyone patience but it takes time to test the suggestions made.

If you have a suggestion please submit it.



Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question