Four Steps to Enforcing Access Policies with NAC

How to enforce network access policies with confidence and without disruptions.

by T. Kent Elliott

The increased attention paid to Network Access Control (NAC) stems from the hype of technology promises made to network administrators. What is hype, what is reality, and what is it about NAC that has captivated the industry? Why do security and network professionals keep a watchful eye on this technology?

Simple. It promises to make their lives easier.

Let’s strip away the hype. A bona fide NAC solution delivers two distinct and indispensable capabilities:

  • the flexibility that allows an administrator to write network access policies that align with an organization’s business needs
  • the ability to enforce those policies in a manner that is not disruptive to the business process or the network staff.

This remains a tall order for most NAC products available today. However, if you’re in the market for NAC, don’t move forward until you’ve found a solution that meets these tests.

Enforcing NAC Policies

The ability to automatically enforce network security policies empowers network administrators to control connected users and ensure that they are remain in compliance with corporate policies and regulations at all times. The challenge is that most network administrators or security teams are so fearful of potential network disruptions that enforcement is never activated. Instead, precious management resources are wasted watching alerts and manually addressing issues.

This is the dilemma network security professionals face in deploying NAC for automatic enforcement of network security policies—the risk outweighs the potential gain. For NAC to be of value, policies must be enforced, and the enforcement must be in line with business policies and practices so that it does not increase the burden on other groups, such as the help desk.

The question remains: How do you get to the point where a policy can be enforced with confidence and without disruptions? The answer is straightforward. The NAC solution must provide flexibility, especially in its array of enforcement options and through a step-by-step methodology for achieving complete enforcement without any chance of disrupting the network.

Choosing the Right NAC Enforcement Tool

Enforcing network security policies first requires understanding what types of policies are right for the business and what level of disruption is acceptable for specific policy violations. For example, if an organization’s internal security policy is to ban instant messaging applications from users in the finance group, then the enforcement decision becomes whether to block the offending user’s access to the network entirely for violating this policy (highly disruptive) or to provide less-disruptive options )such as automatic termination of the violating applications).

Second, NAC involves enforcement options that are paired with the internal policies already in place. Continuing our instant-messaging example, a NAC product that enables a full spectrum of enforcement options could simply notify the user of the violation (via a hijacked Web session, for example), move the user to a quarantined VLAN to contain the risk, or block the user’s access entirely. These choices allow the organization to limit access while continuing to allow the user to be productive.

Even greater flexibility comes when the solution can treat each policy violation differently based on the user. For example, for a violation, a company might block the finance staff immediately and completely until corrected, only warning outside sales teams and giving them three days to correct the violation. Furthermore, the CEO may never be blocked but visitors are always blocked or permitted only Internet access.

The hallmark of a mature NAC tool is the breadth of enforcement options available. The solution should provide network administrators with the ability to match the degree of violation with the exact level of enforcement required by the organization.

Rolling Out Effective NAC Policies without Fear

The following deployment four-part plan helps ensure NAC policies and enforcement are rolled out without fear of damaging the network or shutting down compliant users. The deployment plan must follow a phased approach, providing administrators with in-depth knowledge of how NAC policy enforcement will impact the network before it goes live. Together, these four phases have consistently proved to be effective; shortcuts have always resulted in unexpected problems.


The Audit phase for each NAC policy shows the impact of every policy on the network if the policy were moved into enforcement mode. A mature NAC solution will provide audit capability that automatically discovers all assets connected to the network and their degree of compliance to policies under audit review. The Audit exposes the number and location of assets connected, as well as the general picture of mobile devices moving into and out of the infrastructure. Typically, this process reveals any rogue resources or those that have been simply been forgotten.

During the Audit phase, NAC policies are implemented in monitor mode. Turning on a policy and being able to see the real impact without actually enforcing it yields powerful information, helping an organization to accurately assess current compliance to the new policy. Armed with this information, administrators can now proceed with confidence through the next phases, when users are notified of the soon-to-be enforced network security policies.


The next step is to educate all users on the network security policies and provide a timeframe in which enforcement will be turned on. With a robust NAC solution, this can be done in an automated fashion through Web-session interrupts whereby a Web session is hijacked and a customized message informs the user of the policy. Taking this process a step further, NAC can require the user to acknowledge and accept the notice through a re-login process within the hijacked browser session.

In a typical rollout, this process begins reducing the number of non-compliant devices as users become aware of the policies.


The education phase gets personal. Now that all users have been generally informed of the policy, focus shifts from the masses to specific policy-violators. The education phase specifically addresses users who are not in compliance, informing them of their status. The NAC tool should be able to be integrated to use directory information (i.e., Active Directory), thereby allowing it to leverage personal identity information to directly address the specific policy-violator. In addition to this direct communication with the user, notification can be linked with an e-mail to the violator's supervisor as well as human resources and logged in the violator's employment file.

Directly addressing violators by name typically invokes a higher sense of urgency to comply with the policy and brings most devices into compliance—again, without turning on enforcement.


Finally, after performing the Audit, Inform, and Educate phases, the network teams know exactly the number of violators that remain—usually a relatively small number of devices at this stage. Moving into enforcement mode, they know the exact number of users who will be negatively affected. If the NAC tool is flexible in the types of enforcement it can handle (as previously discussed), there will be a high level of confidence in switching to full-enforcement mode.

The end result: NAC policy enforcement and end-user compliance—without fear of unexpected disruption.

T. Kent Elliott is CEO at ForeScout Technologies. You can reach the author at

Must Read Articles