What is network access control (NAC)?

Network access control (NAC) is a security solution that enforces policy on the devices and users connecting to a network, controlling access to increase visibility and reduce risk. NAC verifies who and what is connecting, checks whether a device meets security policy, and then grants, restricts, or blocks access based on the result.

NAC is commonly used to manage access for employees, guests, contractors, BYOD devices, and IoT and medical devices on the same network. When a device does not meet policy, a NAC system can deny access, place the device in a quarantined area, or grant only restricted access, which keeps insecure devices from infecting the network.

NAC also plays an enforcement role in zero trust, verifying devices and users before access is granted rather than trusting them by default.

Common NAC capabilities include policy lifecycle management, profiling and visibility, guest networking, posture checks, incident response, and integration with other security tools.

Cisco Identity Services Engine (ISE) Solution

How NAC works

Why is it important to have a NAC solution?

As organizations account for the rapid growth of mobile devices accessing their networks and the security risks those devices bring, they need tools that provide the visibility, access control, and compliance capabilities required to strengthen network security.

A NAC system can deny network access to noncompliant devices, place them in a quarantined area, or give them only restricted access to computing resources, which keeps insecure nodes from infecting the network.

NAC supports the enforcement model described in NIST SP 800-207 (Zero Trust Architecture), verifying devices and users before granting access. For the underlying standard that governs port-based network access control, NAC commonly relies on IEEE 802.1X.

What are the general capabilities of a NAC solution?

NAC solutions help organizations control access to their networks through the following capabilities:

  • Policy lifecycle management. Enforces policies for all operating scenarios without requiring separate products or additional modules.
  • Profiling and visibility. Recognizes and profiles users and their devices before malicious code can cause damage.
  • Guest networking access. Manages guests through a customizable, self-service portal that includes guest registration, authentication, sponsoring, and a management portal.
  • Security posture check. Evaluates security-policy compliance by user type, device type, and operating system.
  • Incident response. Mitigates network threats by enforcing security policies that block, isolate, and repair noncompliant machines without administrator attention.
  • Bidirectional integration. Integrates with other security and network solutions through an open or RESTful API.

Use cases for network access control

  • NAC for guests and contractors: Organizations use NAC to ensure that non-employees — contractors, visitors, or partners — have network access privileges that are separate from those of employees.
    Cisco Identity Services Engine
  • NAC for BYOD: As mobile devices let employees work from anywhere, NAC for BYOD checks that employee-owned devices meet policy before they access the network.
    Cisco Identity Services Engine
  • NAC for the Internet of Things: IoT devices in manufacturing, healthcare, and other industries serve as additional entry points for attackers. NAC reduces these risks by applying defined profiling and access policies for different device categories.
    Cisco IoT Threat Defense
  • NAC for incident response: NAC vendors can share contextual information — such as user ID or device type — with third-party security tools, and can respond to alerts by automatically enforcing policies that isolate compromised endpoints.
  • NAC for medical devices: As more medical devices come online, it's critical to identify devices entering a converged network. NAC helps protect devices and medical records from threats, improve healthcare security, and strengthen ransomware protection.
    Cisco Medical NAC

Common questions about network access control

Network access control (NAC) is a security solution that enforces policy on the devices and users connecting to a network to control access, increase visibility, and reduce risk. It verifies devices, checks policy compliance, and grants, restricts, or blocks access based on the result.

NAC works by identifying and profiling each device and user that attempts to connect, then checking them against security policy before granting access. Devices that meet policy are admitted, while noncompliant devices can be blocked, quarantined, or given restricted access until they comply.

NAC enforces access policy for devices and users connecting to a network, typically on corporate or campus networks, while Zero Trust Network Access (ZTNA) provides identity-based access to specific applications regardless of network location. NAC secures network admission; ZTNA secures application access. The two are complementary. For the full ZTNA definition, see the ZTNA page.

NAC supports Zero Trust by verifying device identity and posture before granting network access, rather than trusting a device because it is on the network. It acts as an enforcement point that applies policy at the moment of connection and feeds device context into broader Zero Trust decisions.

A NAC solution should include policy lifecycle management, device profiling and visibility, posture assessment, guest access management, automated incident response, and integration with other security tools. Together these let an organization control which devices and users connect and enforce policy consistently.