Now that we have a simple definition of NAC, let’s take a closer look at how it works. The NAC process generally has three steps:

1. Assessment - identifying systems to check and gathering data about them
2. Evaluation - deciding what network access should be granted
3. Enforcement - enforcing decisions made during the Evaluation step

NAC may include other steps like remediation (fixing problems with the endpoint) and ongoing monitoring (of endpoint behavior and health) but the three steps listed above are the primary ones. Let’s look at each of those steps in more detail.

Assessment is all about gathering the data needed to make a NAC decision. This can include information about endpoint health, user identity, endpoint identity, and even other things like endpoint behavior and geographical or network location. There are many ways to do assessment: installing software on the endpoint, running a remote scan, etc.

Evaluation varies from one NAC system to another but it generally involves comparing the information gathered during the assessment step against a NAC policy to decide what network access should be granted. These policies can be complex with different policies for different groups. For example, “engineers have no endpoint requirements but can only access engineering equipment and company-wide services”.

Enforcement ensures that the appropriate level of network access is granted, based on the results of the Evaluation step. There are many ways to do enforcement: with switches, wireless access points, firewalls, etc. Each approach has its own pros and cons.

In order to really understand NAC, we need to dive deeper. I’m going to write a separate article on each of these steps, looking at the various technologies people use (802.1X, firewalls, NAC appliances, etc.) and the pros and cons of each.