What is NAC?
Network Access Control
A technology that enforces security policies on devices attempting to connect to a network, controlling access based on device identity, health, and compliance status.
NAC sits at the network edge, typically integrated with switches and wireless controllers via 802.1X or RADIUS/TACACS+, to authenticate devices and assign them to appropriate network segments. Before a device gains network access, NAC checks whether it meets compliance requirements: is it a known corporate device, is the OS patched, is endpoint protection running, does the user have the right role?
Devices that pass are placed on the appropriate VLAN with the correct ACLs. Devices that fail are quarantined to a remediation network or denied access entirely. NAC also handles guest access, BYOD onboarding, and IoT device profiling, assigning constrained network access to headless devices like printers and cameras based on MAC address or device fingerprint.
In a SASE world, NAC and ZTNA serve complementary roles. NAC controls physical network admission at the campus and branch level. ZTNA controls application-level access for remote and hybrid users. Organizations with significant on-premises infrastructure still need NAC for wired and wireless access control even after deploying ZTNA for remote access. The most mature security architectures integrate both, feeding NAC posture data into the ZTNA policy engine for consistent enforcement.
An access model that grants users connectivity to specific applications, not networks, based on identity and device posture, verified continuously per session.
A security model that eliminates implicit trust based on network location, requiring continuous verification of identity, device posture, and context for every access request.
The real-time assessment of an endpoint's security health, including OS version, patch level, disk encryption, EDR status, and compliance state, used as an input to access control decisions.
The framework of policies, processes, and technologies that manages digital identities and controls what resources each identity can access across an organization's systems.
One email per publish. Unsubscribe anytime.