Infrastructure & Network Security

Network Access Control (NAC) Setup

  • May 9, 2025
  • 0

Sherlocked Security – Network Access Control (NAC) Setup

Control Who, What, and How Devices Connect to Your Network — Enforce Security at the Edge

1. Statement of Work (SOW)

Service Name: Network Access Control (NAC) Setup
Client Type: Enterprises, Education, Healthcare, Finance, Manufacturing
Service Model: Architecture Design + NAC Deployment + Integration
Compliance Alignment: HIPAA, PCI-DSS, ISO 27001, NIST 800-53 (AC family), CIS Controls

Scope Includes:

  • NAC Policy Design & Enforcement
  • 802.1X Authentication with RADIUS Integration
  • Device Posture Assessment (corporate vs BYOD vs rogue)
  • Role-/Context-Based Access Policies
  • Guest Network Management
  • Integration with AD, MDM, SIEM, and Endpoint Security

2. Our Approach

[Asset Discovery] → [Access Policy Design] → [802.1X Rollout] → [Integration & Testing] → [Policy Optimization & Training]

3. Methodology

  • Network Discovery

    • Identify all access switches, wireless controllers, VLANs, endpoints
    • Analyze current access control mechanisms (if any)

  • Access Policy Definition

    • Define roles (employees, contractors, guests, IoT, printers)
    • Determine access levels based on risk and context
    • Establish VLAN segmentation and quarantine zones

  • NAC Platform Deployment

    • Select and deploy suitable NAC solution (Cisco ISE, Aruba ClearPass, FortiNAC, Forescout, etc.)
    • Configure core components: RADIUS server, profiling engine, policy sets

  • 802.1X Configuration

    • Configure switch ports and wireless SSIDs for 802.1X authentication
    • Integrate with AD, LDAP, or identity providers
    • Support fallback MAC-auth for legacy/non-802.1X devices

  • Device Profiling & Posture Checks

    • Implement profiling for managed vs unmanaged devices
    • Integrate posture assessment tools (e.g., AV status, MDM compliance)

  • Guest & BYOD Access

    • Set up captive portal, self-registration, or sponsor-based onboarding
    • Isolate guest devices from production via VLAN segmentation

  • Monitoring & Enforcement

    • Enable policy-based enforcement (block, quarantine, redirect)
    • Monitor logs, profiling behavior, and authentication success/failure

  • Knowledge Transfer

    • Document policy configuration
    • Provide admin training on daily operations and troubleshooting

4. Deliverables

  • NAC Architecture & Access Policy Matrix
  • Platform Deployment & Configuration Documents
  • 802.1X Switch Configuration Templates
  • Device Classification Profiles
  • Guest Network Access Setup
  • Integration Summary with Identity & SIEM
  • Administrator Playbook
  • Troubleshooting Guide & Best Practices

5. Client Requirements

  • Inventory of switches, APs, and endpoints
  • Access to directory services (e.g., Active Directory)
  • List of user/device groups and business roles
  • Approved VLAN segmentation plan
  • Endpoint agent (optional, for posture checks)
  • Change window for switch configuration

6. Tools & Technology Stack

  • NAC Platforms: Cisco ISE, Aruba ClearPass, FortiNAC, Forescout
  • Network Infra: Cisco, Juniper, Aruba, HP, Fortinet
  • Authentication: RADIUS, TACACS+, AD/LDAP
  • Posture Tools: MDM (Intune, JAMF), AV agents, EDR tools
  • Monitoring: Syslog, SIEM (Splunk, Sentinel), SNMP traps

7. Engagement Lifecycle

  1. Network & Identity Discovery
  2. Policy Design & Access Role Mapping
  3. NAC Platform Deployment
  4. Switch/WLAN Integration & Testing
  5. Posture/Profiling Implementation
  6. Guest/BYOD Access Setup
  7. Policy Enforcement & Tuning
  8. Knowledge Transfer & Go-Live Support

8. Why Sherlocked?

Feature Advantage
Multi-Vendor Experience Cisco, Aruba, Fortinet, and open-source tools
Compliance-Centric Design Policies aligned with HIPAA, PCI, ISO 27001
Zero Trust Ready Role- and context-based enforcement
Full Lifecycle Support From discovery to enforcement and runbook delivery

9. Case Studies

University Campus – BYOD & Role-Based Access

Problem: Students and faculty on same VLAN, poor visibility and no isolation
Solution: Deployed ClearPass with 802.1X and captive portal; role-based VLAN mapping
Outcome: Segmented access, full visibility, and 75% reduction in rogue device issues

Financial Institution – NAC with Zero Trust

Problem: Lacked endpoint validation before granting access to internal systems
Solution: Integrated Cisco ISE with MDM and AV for posture-based access
Outcome: Non-compliant devices auto-quarantined, reducing risk of lateral movement

10. SOP – Standard Operating Procedure

  1. Discovery

    • Map access switchports and connected devices
    • Inventory endpoint types and user groups

  2. Platform Setup

    • Deploy NAC platform in HA
    • Configure base RADIUS services and logging

  3. Switch Integration

    • Update port configs for 802.1X/MAC-auth
    • Test fallback scenarios for legacy devices

  4. Access Policy Creation

    • Build matrix of roles vs allowed access
    • Assign VLANs, ACLs, or SGTs as required

  5. Guest Portal Setup

    • Enable self-registration with email/SMS or sponsor approval
    • Isolate via guest VLAN

  6. Validation & Go-Live

    • Run pilot with limited groups
    • Tune policies and rollout in phases

  7. Handover

    • Document architecture and configs
    • Train admins on monitoring and troubleshooting

11. NAC Policy Design Checklist

  • [ ] Identify endpoint types and access roles
  • [ ] Map VLANs to security zones
  • [ ] Define posture check criteria
  • [ ] Ensure switch/WAP compatibility with 802.1X
  • [ ] Implement fallback for legacy and IoT devices
  • [ ] Configure guest/BYOD onboarding process
  • [ ] Validate logging to SIEM
  • [ ] Test access scenarios and policy enforcement

Optional Enhancements

  • Zero Trust NAC Integration with SDP/ZTNA
  • NAC & EDR Co-Validation for Device Health
  • Automated Quarantine with SIEM Playbooks
Artifact Hunting & IOC Extraction
DDoS Testing & Mitigation Advisory