Two basic modes: pre-admission (the device does not connect until validated) and post-admission (it connects and policy is applied based on results). Most large organizations operate hybrid.
What NAC is
NAC (Network Access Control) is the set of technologies and policies that govern which devices and users can connect to a corporate network, under what conditions, and with what level of access. Before allowing the connection, it verifies three things: user identity, device identity and the device's security posture (antivirus up to date, patches applied, disk encryption enabled, no prohibited software). If any of the three fails, NAC can deny access, route the device to a quarantine VLAN or apply specific restrictions.
Why it matters
Modern corporate networks are no longer well-defined perimeters: they include employees with personal laptops, contractors with unmanaged devices, IoT equipment joining over Wi-Fi, connected printers and personal phones. Any of them can be the first step of an attacker who has obtained physical access, leaked credentials or a compromised device. A well-implemented NAC turns "you're inside the network, almost everything is open" into "you're inside the network but you only access what matches your identity, device and posture". Under Zero Trust, NAC is one of the operational building blocks; for ENS, NIS2 and ISO 27001 it contributes to access control and segmentation requirements.
Key points
802.1X is the standard protocol to authenticate devices on wired and Wi-Fi networks. It is the most widespread technical foundation for NAC, together with RADIUS for centralized authorization.
NAC + network segmentation is the natural pairing: NAC classifies the device and places it in the right VLAN or microsegment. Without segmentation, NAC only decides "yes or no" at the door.
A poorly calibrated NAC blocks legitimate devices (printers, medical equipment, industrial IoT) and ends up being disabled. A controlled pilot and a prior inventory classification are what separates a successful project from operational failure.
Example: BYOD device joins the corporate Wi-Fi
A sales rep connects a personal laptop to the corporate Wi-Fi. NAC questions the device: who is the user? Successful authentication via 802.1X against Active Directory. What device is it? The NAC agent recognises it as an unmanaged device. What is its posture? Antivirus disabled, OS without recent patches. Policy says: legitimate user, unmanaged device, insufficient posture → routes to an isolated VLAN with Internet-only access, no access to internal resources. The user sees a page explaining why and how to regularise the device. Without NAC, that laptop would have had the same level of access as a managed corporate device.
Common mistakes
- Activating NAC in block mode on day one without classifying the inventory. An industrial printer with no NAC profile goes into quarantine, stops working and breaks support operations.
- Not including IoT and OT in scope. Industrial, medical or facility devices are the most damaging when compromised by an attacker, and precisely the hardest to integrate.
- Confusing NAC with a firewall. The firewall filters traffic between zones; NAC decides whether you reach a zone in the first place. They complement each other.
- Treating NAC as a one-off project instead of an ongoing capability. NAC needs continuous maintenance: new device profiles, policy tuning, integration with new asset categories.
Related terms
Related services
This concept may relate to services such as:
Frequently asked questions
Are NAC and firewall the same thing?
No. A firewall filters packets between network zones based on rules (source, destination, port, protocol). NAC decides which devices and users can connect to a zone at all, based on identity and posture. They work together in modern architectures.
Is NAC viable for a mid-size organization?
Yes, especially in environments with BYOD, IoT or many contractors. There are SaaS and on-prem solutions sized for large SMBs and enterprise. The hard part is rarely licensing: it's classifying the inventory, training the network team and calibrating policies without operational disruption.
Does NAC help with ENS, NIS2 or ISO 27001 compliance?
Yes, it contributes to several controls: device identification, logical access control, segmentation, configuration management. By itself it doesn't fulfil any framework, but it is one of the technical pieces an auditor expects to see in ENS Medium/High categories, and in NIS2-regulated organizations with material exposure.