What is Network Access Control (NAC)?
Learn what Network Access Control (NAC) is, how it checks identity and device posture, and VLAN-based enforcement — interview Q&A.
Expected Interview Answer
Network Access Control (NAC) is a security framework that inspects and authenticates every device before and while it is connected to a network, enforcing policies on identity, device posture (patch level, antivirus status, configuration), and role so that only compliant, authorized devices get full access, with everything else quarantined, restricted, or blocked.
NAC extends beyond simply checking who a user is; it also evaluates what the device is and what state it is in before deciding how much network access to grant. A typical NAC deployment combines an authentication layer, often 802.1X with a RADIUS backend, with posture assessment agents that check things like OS patch level, running antivirus, or disk encryption status, and a policy engine that maps the combined result to a network segment, commonly through dynamic VLAN assignment. A fully compliant corporate laptop might land on the full internal VLAN, a personal phone might land on a restricted guest VLAN with internet-only access, and a laptop missing security patches might be dropped into a remediation VLAN with access only to patch servers until it is brought into compliance. NAC solutions can also perform continuous monitoring after the initial connection, re-evaluating posture and revoking access if a device’s compliance state changes, and integrate with switches, wireless controllers, and firewalls to enforce the resulting policy network-wide rather than at a single choke point.
- Enforces both identity and device health before granting network access
- Automatically segments devices into appropriate VLANs based on policy
- Quarantines non-compliant or unknown devices instead of blocking outright
- Supports continuous, not just one-time, compliance monitoring
AI Mentor Explanation
Network Access Control is like a cricket club’s entry process that checks not just who you are, but also whether your kit passes a safety inspection before you are allowed onto the main practice ground. A member with valid ID and approved kit goes straight to the main nets; someone with valid ID but a cracked helmet gets sent to a supervised side net until the equipment is fixed. This dual check of identity plus condition, and the routing to different areas based on the result, mirrors exactly how NAC evaluates both who a device is and its security posture before deciding which network segment it lands on. The club keeps checking kit periodically too, not just once at the gate.
Step-by-Step Explanation
Step 1
Device connects
A device attempts to join the network via a wired port or Wi-Fi, triggering the NAC system to intervene before full access is granted.
Step 2
Authenticate identity
The device or user authenticates, typically via 802.1X/RADIUS, certificates, or an agent-based login.
Step 3
Assess posture
A posture check evaluates patch level, antivirus status, encryption, and configuration against the organization's policy.
Step 4
Enforce policy
Based on identity and posture, the device is placed on the appropriate VLAN — full access, restricted, or quarantine/remediation — and continuously re-evaluated.
What Interviewer Expects
- Explains NAC checks both identity AND device posture/health, not identity alone
- Describes policy-based routing into VLANs (full access, guest, quarantine)
- Knows NAC commonly builds on 802.1X/RADIUS for the authentication piece
- Mentions continuous/ongoing compliance monitoring, not just a one-time check
Common Mistakes
- Treating NAC as identical to 802.1X, when 802.1X is typically just the authentication component NAC builds on
- Assuming NAC only checks credentials and ignores device health/posture
- Thinking non-compliant devices are always fully blocked instead of quarantined for remediation
- Forgetting that NAC should re-evaluate compliance continuously, not only at connection time
Best Answer (HR Friendly)
“Network Access Control is a system that checks a device before it is allowed onto the company network, and it checks more than just a password. It also looks at whether the device itself is safe, like whether it has up-to-date antivirus and security patches. If everything checks out, the device gets full access. If something is missing, instead of just blocking it outright, the system usually puts it into a restricted area where it can only reach what it needs to fix the problem, like an update server, until it is brought back into compliance.”
Code Example
# /etc/freeradius/3.0/sites-enabled/default (simplified)
# Attribute "Posture-Status" set by an upstream health-check integration
if (&Posture-Status == "compliant") {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = "10" # Full-access VLAN
}
}
elsif (&Posture-Status == "non-compliant") {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = "99" # Quarantine/remediation VLAN
}
}Follow-up Questions
- How does NAC integrate with 802.1X for authentication?
- What is the difference between agent-based and agentless posture assessment?
- How does NAC handle IoT devices that cannot run a posture agent?
- What happens to a device's access if its compliance status changes mid-session?
MCQ Practice
1. What does NAC evaluate beyond a device's identity?
NAC combines identity authentication with a device posture assessment before deciding how much access to grant.
2. What typically happens to a non-compliant device under NAC?
Non-compliant devices are commonly placed on a restricted or quarantine VLAN with limited access until they meet compliance requirements.
3. What authentication mechanism does NAC commonly build upon?
NAC deployments frequently use 802.1X for port-based authentication, backed by a RADIUS server for identity verification.
Flash Cards
What is NAC? — A framework that authenticates devices and checks their security posture before granting network access.
What does NAC check besides identity? — Device posture — patch level, antivirus status, encryption, and configuration compliance.
What happens to a non-compliant device? — It is typically quarantined onto a restricted VLAN for remediation, not fully blocked.
What does NAC commonly build on for authentication? — 802.1X with a RADIUS backend for identity verification.