N4N054: Network Access Control (NAC) Basics

Want deeper visibility into your network without adding complexity?

StatSeeker gives engineers near real-time performance insights, fast zero touch deployment,

and historical data going back as far as you need so you can troubleshoot faster and prove what

actually happened. It's real monitoring, both for people who love their networks.

Try for free at statseeker.com slash networking.

Welcome to NIs for Networking. I'm Ethan Banks with Holly Mellitsky-Podbilac. Holly and I chat

with each other about networking technologies with the beginner in mind. And so if you're maybe

right university working on a degree or you're new to the industry and trying to get your head

around all these acronyms studying for a certification exam or you just want a review of networking

technology, you don't use that often. Hey, we're here for you. Follow us on LinkedIn. Holly and I

are linked in supernodes and connecting to us gets you one degree away from thousands of other

networking professionals and awesome technology humans. You can also talk to us on the packet pushers

community Slack group. And as for networking, it's part of the packet pushers podcast network.

And in the packet pushers Slack, there are thousands of people from all around the world talking

about networking. You can join that Slack at packetpushers.net slash community. And while you're on our

fine website, sign up for our free newsletters via the link in the menu bar and we don't sell your

addresses. We just we just want to share good information with you. Today's show. It's going to be

a gentle introduction to network access control. We have a part two to three planned as well where we're

going to dive into actual NAC conversations. What happens when a device attempts to connect to

the network and the NAC kicks in and does its thing. But today is just a warm up where we explain

what NAC is at a high level talking through some of the jargon and acronyms because there is so much

of that to consider. First, you know, but Holly, before we even do that, I introduced you in the

in the first sentence as Holly, let's keep popular. And for those of us, those that have been listening

tennis for networking for a while, they know that you've just been Holly, but let's keep you got buried

Holly. I did and I decided to find a new last name that was even more complicated than the one I

had. Yeah. Well, you're keeping, let's keep popular like, is that where you're going? No, I think

for now, I'll just keep my let's get in the loop. So I'm findable. But eventually when I decided to

tackle all the government things and do all the admin, I'll eventually legally change it. But

when all my documents expire, deal with that. You're originally from South Africa and you're

immigrant to the US. Now, you're here permanently and all of that. But I mean, you probably have more

paperwork than the average person who got married and takes your spouse's last name. Yes. And

on top of that, not only do I have my South African documents and my US documents, I'm actually

a dual citizen of Lithuania. So I have documents there too. Oh boy. So I've got to change my name

on three contents. So for now, it will be a social media change and the legal stuff will happen

over time. So fun fact, you mentioned dual citizen of Lithuania. I might be Canadian. I have

discovered. So Canada has changed its status for people who had a grandparents or parents who

were Canadian. If you can prove your lineage, they'll recognize you as a citizen. It used to be

just one generation, I believe. Now you can go back and I have grandparents that were full Canadian

citizens. They lived in Nova Scotia and Quebec. And I believe I can with some homework figure that

out. So I might be a dual citizen too if I can get around to doing the research and the paperwork

and submitting to the right governmental bodies. So that would be, I don't know what advantages I'd

have to being a dual citizen of Canada and the United States. But it's really interesting. I want

to check that out. I had a lot of advantages just because the South African passport doesn't really

get you anywhere. So you need visas to travel pretty much anywhere. So having an EU passport was

really, really beneficial for travel really. I feel like the US passport is great.

Well, I live really close to Canada. I'm in Northern New Hampshire and I can be at the Canadian

border in about an hour and a half. And would like to travel there and do hiking there and so on.

And it might just be cool to get to the border and show them like a Canadian passport. What's up?

Hey, welcome. Welcome back to Canada, sir. Yes. Welcome back. Thank you. Sure.

We'll see. We'll see what happens. Well, okay. Holly, our conversation to the network access control,

which we got to pause for a minute because when I hit pressure in the script, I'd written it

at network admission control, which points to a little bit of history. That was stuck in my brain

from probably 20 ideas ago to call that network admission control as opposed to network access control

because that's what Cisco called it like way back in 2004 or something like that. So if you're

going through, if you're an old person like me or you could do old information, you might run

into that. But Holly, you actually called me on that because you're like, I haven't seen

network admission control anywhere. Am I missing something? I mean, you haven't seen it anywhere,

right? No, it was one of those things where it's like, I'm confident that it's access control,

but at the same time, you know, you've been around much longer than I have. What do I know?

I was like, maybe in there's so many vendor specific acronyms. I was like, maybe it's just one of

those like, Cisco versus HPE terms, or something that I'm missing. But on my research, I actually

didn't find admission control come up anyway. So I guess it's kind of been phased out over the years.

Very much. Yeah, very much so that's that goes back that really goes back. We're recording this

in 2026 and that goes back to you old more than 20 years ago where Cisco was using the term

network admission control versus network access control. And that's long since you faded out.

Why it got stuck in my brain when I was writing this script? I don't know. I was doing a lot of

reading and review of my networking library and digging through a whole lot of things. And I'm

sure my eyes swept across it at some point and it just got stuck in there. But the network access

control is it and we call it NAC and AC. That's where you commonly see see that. So what what do

you think? NAC is all about hauling. So I'd like to actually talk a little bit about the fact that

you like it was admission control versus access because when you think about NAC, it's about

possibly allowing devices or end users or endpoints onto the network. But not

necessarily does every device get admission. So calling a network admission control might not be

100% accurate because not every not every device trying to get onto a network gets admitted.

So maybe that was the name for the the name change, but that's kind of where I think about it.

Yeah, but the word admission is really a big part of that technology. Do you get admitted or

don't you get admitted? So come from a conceptual standpoint, the word admission is rightly associated

with network access control. That is a big part of what's going on. It's admission, but not just

black or white. It's you can or you can't get on the network. It's also when you're connected

to the network, what do you allow to do? So there's the the rest of the story is now that you've

been admitted, what are the guardrails around your connection to the network and NAC helps us

govern those things as well. So in your role at HPE, we call it HPE or HPE Juniper. What are they

telling you guys? HPE, the name Juniper has been retired. Okay, okay. So in your role at HPE is

NAC something you sell a lot. I don't know what if that comes up with your customers.

So it's a funny question because initially I didn't do a lot of NAC, but very recently,

and I guess maybe it's with the merger because combined, I think we have four NAC solutions

across the portfolio, but a lot of customers have started implementing NAC more and more. So

it's over the last four months. I've run into it exponentially more than when I first started,

which is also kind of why I wanted to go through this episode because I touched on it in one

search, but I never really did a deep dive into NAC just kind of learned it on the job.

What's driving that? Is it zero trust by HPE? I'm not sure. I think it's just everybody is becoming

much more particular about who is accessing their network.

And then in the context of NAC, are you designing while you're less solutions or a bit of both?

Both. Both. Okay. Okay. Okay. So this is a great conversation then. All right. So let's go back

to the whole admission concept here. So with NAC, we can decide whether or not a device

is going to be admitted to the network or can you connect or not? And then if you are allowed

to connect to the network, what sort of access do you have to the network? So let's give a

few examples here. So a device could be granted guest access only that you can access the

internet from that device, but nothing else. That's a thing that NAC might establish for us.

Or we could say this device is fully trusted. It's whether identified as a corporate laptop and

it's cut all the right anti-virus stuff on it and whatever all the checks and balances are and

the user who is associated here. And so you've been granted network access without restriction.

That's something NAC could cover for us. Or we could say the device is unknown. I don't know what

this thing is. And or there's been an authentication failure. And so access is denied. And maybe we shut

the port down. Those are all reactions that NAC could have to the device. And this is different

from the normal way we connect to the network if you think about it in the typical way. If you

plug into the wall at home, things light up and you stop you go. There is no NAC that's involved

there. Wireless is a little different because unless it's a wide open SSID where you don't have

to authenticate to it, you're just allowed on to the network as long as you know what the

SSID password is. You go to a coffee shop and they say here's our Wi-Fi and here's the password to

get on that Wi-Fi. I wouldn't call that NAC. I'd call that just being allowed to associate with

the access point. NAC takes it a step further. You're nodding your head. You're nodding your head

knowingly or agreeing with me. I agree with you. I think even having a password on your Wi-Fi is

one step further into not authentication with NAC, but you can have just open SSIDs that anybody

no password required can connect to. NAC takes it a step further. You're actually analyzing what

the device is and maybe you know something about it. It's MAC address or there's some sort of

deeper knowledge about the user and device if there is a user that is being evaluated as part

of the admission criteria that this device will or won't be allowed on the network as opposed to

a simple SSID that you've got the password and you can just hop on and it doesn't make any

judgments about you beyond that. And I think one other thing to note is it's one step further than

you know back in the day you could just have access lists. Yes, I've got these 100 MAC addresses

if you see this join the network, but this is I don't use the word automated, but it's a little

bit more critical at how something connects the network, not just a blank statement access list.

Yes, you can get on. So let's let's try to help people understand NAC being used or not used.

So a couple of scenarios here, a wired device plugging into the ethernet. You could apply NAC

network access control. I almost said network admission control. I have to think for a second.

I want to do it again. Your brain's on autos. Right. So a wired device plugging into the ethernet,

you could have that port configured to perform NAC to allow or disallow that device onto the

network. And again, making and we're going to talk again more more detail here in this episode

and the next couple about what all is going on. A wireless device we were just talking about

connecting to an access point. NAC could be applied. So let me ask you a question. What happens when

you authenticate to a VPN? Do you think NAC is being used there? That was an interesting little

tidbit in our script that I was thinking about because I didn't think about it. But

not necessarily because usually, usually if you have a VPN, there's some sort of configuration

that's been done prior to allow you to connect to the VPN. So you don't really need NAC or NAC's

not written. NAC is more like for unknown or maybe not all of them are unknown. But kind of in

without VPNs, like VPN is like a side adjacent thing to network security that NAC is for a different

use case. Yeah, I think that's a good way to think about it. NAC in my opinion is not what's used

to authenticate to a VPN. Now, some NAC technologies might be involved in a virtual private network

connection. And when we begin talking about concepts like zero trust, where the posture of an endpoint

connecting into the VPN is constantly being assessed, that's getting into some NAC-like territory.

But that is not what I believe we're talking about when we talk about network access control generally.

NAC has this idea of port based authentication. I'm plugging into a port. I'm authenticating to

an access point. And I need to be admitted to the network. And so NAC steps in as a technology

that's going to determine that you can or can't connect to this physical network, this switch that

I own that's in my building, this access point that's in my building that I govern control of who

can connect or not connect. NAC is a technology that comes to bear at that point and in that context.

Connected to a VPN from a distance could involve certificates. It can involve using a password.

There's probably a client involved. And there are different things that go on that may overlap

with what some of NAC does, but the key words here for NAC port based. We're connected to a port.

We're authentic into an access point and are trying to connect to your network and your building

that you own and you govern is really where NAC is coming to bear. Was that help?

Yes, to some extent, but I think using the terminology port based gets a little bit confusing

when you start thinking about wireless because what port are you connecting to?

Right. So it is a little bit confusing because there is no port we're plugging into right when

it's wireless. We are instead authenticating and talking to an access point. But it's the same thing.

It is the same thing. Sure, it's not a physical port that I'm taking a wire and plugging in and

getting that satisfying clip, a click from the RJ45 when it clips in. But you are instead

using a radio with an antenna to send a signal through the air and talk to the access points antenna

on the other end. And it is conceptually functioning like a port. And so yeah, although port

base makes us think of a switch with a port, an access point is to functioning as a port in that

context. It's just a radio and radio waves talking to each other instead of a piece of wire

plugging into one another. Do you do do by that? Yeah, I think we like to use the same. I like

I think if you think about it as like a port in terms of a point of entry, like yeah, like how

a ship box at a port, you know, that kind of port, not a physical port. I think that might also make

a little bit more sense. Yeah, you get a place wire with radio wave and jack with radio. And I think

you've got the idea that that's a fair way to to put it. Okay, so next question for you, Holly,

is NAC a protocol? No, I would say NAC is more so possibly a suite of different protocols and

different concepts, but it's a general umbrella of which, you know, we're talking wireless, we're

talking wired, we're talking all those all sorts of different access control mechanisms, they all

fall under the concept of NAC. Yeah, and the main, there are protocols involved with network access

control, but but absolutely NAC is a category. It's an umbrella technology as you describe. That's

got a whole bunch of different technologies that fall under it. The main protocol for NAC would be

.1x, so 802.1x. 802.1x also known as just commonly spoken.

You're a network engineer, you don't call it 802.1x, you just abbreviates the .1x because we've got to

abbreviate everything around here or have acronyms of acronyms and so on. But yeah, .1x is the tool we

would use for port based authentication. So here's a question. So let's say you roll out NAC,

so you're turning on 802.1x, enabling that across your network. What happens if you have a device

that doesn't speak 802.1x, some internet of things device, a smart thermostat on the wall,

and you're building that is that you were controlling it with some, you know, magic software,

but some IoT thing. What do you do then? Because you can't turn .1x on that thing, so it cannot

authenticate to the network. So now kind of goes back to a little bit of what I was mentioning earlier,

about like MAC authentication. You know, if you know these devices, you can say, okay, well,

this endpoint doesn't have the ability to do .1x, but I'm going to allow it on the network

because maybe the MAC is known, and that's why you can start doing things like MAC

authentication, bypassing, because you have that known address.

Yeah, exactly. There's a few schemes here because this is a common problem. You turn .1x on,

but not every device in your network is going to speak about 1x, and so what do you do? You

still want to make, you don't just, you could just deny everybody. You can't authenticate with

.1x, but typically that's not practical. And so you end up with a scenario where how do we handle

the non .1x devices? And you mentioned MAC authentication, bypass. Yeah, exactly. That's one way.

I know the MAC of this device, and we're talking about the Ethernet MAC. Every device is going to

have one on an Ethernet network. That's part of how Ethernet functions. We've covered this in

very early episodes event as for networking. If you're not up on how Ethernet frames move

around a network, we talk about it in great detail in gosh, like the single digit episode

way back at the beginning. Yeah. But that, so when a device comes up on the network,

that MAC will be known. And you could use that MAC to make a decision about whether or not to allow

that device network. No, it's not going to be a .1x transaction that happens, but using MAC

authentication bypass. You could allow that device on the network. Maybe you're a wireless device,

not known to the network. Because you're a guest, you just walked in off the street and you're

sitting in the lobby of your doctor's office, your dentist, you're about to get your teeth cleaned,

and you're sitting there in the lobby waiting for them to summon you for the joy that is

I love the dentist side note. Love the dentist. My favorite place. But anyways, that was sarcasm.

Tell me sarcasm. No, it wasn't. Love the dentist. My favorite thing. What are you talking about?

Obsessed. Yeah. Fun fact to understand this. No one likes going to the dentist. I have a obsession with

clean teeth. And I think the best thing is going to the dentist and coming up and knowing that

like your purly wastes are just shining and clean and amazing. Love it. My family thinks I'm crazy

too. But it's yeah, I look forward to it. I've got them scheduled every six months already on my

calendar. I wait for it. That's great. I go every six months, but I'm not eager to walk in. But when

I do walk in, when I do walk in, they do have Wi-Fi and they've got a little sign and I can be sitting

in the lobby and get my phone or I don't bring a laptop to the dentist, but my certainly my phone,

and I can hop on. And I will end up at a web portal. I'll end up at some kind of a captive portal.

Like you see at airports, like you see at McDonald's, lots of places that are offering free Wi-Fi,

their employees might be on some kind of .1x knack sort of a system to be admitted to the network.

The rest of us aren't. We're not talking knack. We're just some, you know, whoever walking

in off the street, we don't have .1x loaded. We're not ready to deal with that. So they'll dump us

to a portal. And the portal will give us, you know, something we've got to fill in or it's

terms we've got to agree to or show us an advertisement to whatever. And then off we go,

we've been allowed on the network. This probably knack involved, but we're not speaking knack. So

the portal gets used as a way to allow us to get on the network. And so, so all that to say,

there's ways. If you turn knack on and there are devices on your network that don't speak

802.1x, you can still have configurations and systems in place to allow those people to connect

to your network in a limited and a controlled fashion, which again, Holly, I'm assuming you're

seeing all of this, sir, and you're running into this stuff.

I've made some pretty captive portals for customers, you know, putting their logos in and

the 101 different fields they want their users to fill out. But I just want to make,

like maybe go back to the .1x concept a little bit, because I think

when I first, everyone talks about .1x, I can we just throw it around. And I think we're doing

it here as well. Like, yeah, .1x, it's a protocol. Cool. It helps with knack. But like,

what actually is like, what does .1x do? I think is something that we should want. So like,

it's a protocol to help two devices communicate that kind of a thing.

There's a lot of pieces to a .1x transaction. And so why don't we walk through a bunch of terms

that are all end up becoming part of what ends up making up a .1x infrastructure? Actually,

we can spend most of the rest of the discussion on that. It's going to be a little bit high level,

because in parts two and three, where we want to walk through a wired and a wireless transaction,

we're going to actually walk through the mechanics of a .1x transaction. I'll take a quick step

back and just say that you've got a device, let's say, a laptop that needs to get on the network,

it is a .1x client. You are talking to the, I'm doing all this off the top of my head, Holly.

You're talking to a switch that is accepting that transaction and that switch is going to take

that information that is being sent over .1x and turn it into some, turn it into a request to a

back end server where you got all your policies living and so on, probably radius. You're probably

using radius in your world. That's going to be a clear pass. HP or Ruby clear pass would be,

I don't know if you've run into that yet, because you just came from June into the HP world and

across June and they've given you up. Yeah.

Clear pass is super popular. A lot of people need to run that. That server is going to take all

that information that has been sent to it from the switch. So, client to the switch, the switch is

in the middle of things, sends it back to the radius server, Ruby clear pass or a bunch of other

ones we'll mention that are out there in the world. A decision is made based on what all information

is there, authentication information, maybe these are using a password, MAC address, other things,

and then a policy is returned from that server to the switch to know how to govern this connection.

You know, a yay or nay to allow this device onto the network and then other information like

what VLAN to put them into and what maybe a dynamic access list or a port based access list

is going to be applied to their connection as they come in and so on. There are other things

that could be used to to govern that connection and depending on the vendor ecosystem you're in,

it can vary pretty widely what all is going on. You know, this Cisco has something called secure

group tags. I don't know if it's made it too far out of the Cisco ecosystem. I know I think

that's standardized, but I think of that most. We have another name for them, but yeah. Yeah, yeah.

And then there are so there are all these parameters that are then what I'm saying comes back from

the radius server and then is applied to the connection of the traffic coming through that port to

that device for that device that controls what that person can do the guard rails that are put

around that person's connection now that they're on the network. But let's that's that's that was

too much too soon because I wanted to do all these other things. Sorry. I want to talk about all

these other things. So so so the first thing I want to talk about is AAA and authentication,

authorization and accounting. Does that you surely run into that term? I have and what's

funny about this term is I ran into it very early on when dealing with NAC and I had no idea what

it was. Everybody just threw around this AAA attribute all the time and it took me a while. It's

like it can't be like when I started giving it was like this can't be what they told him out like

this fancy AAA attribute, but it's it's all over like you can't do NAC without it.

So so give us rounded out for us as you understand it now. Sure. So what what AAA is its

authentication, authorization and accounting. So I wish I think the difference between

authentication and authorization can get confusing because they sound the same. But if you think

about when you getting on to network, right, when you are trying to authenticate the first thing

is to figure out, well, who's connecting to the network? That would be authenticating.

Authorization would be, well, I know who you are. Am I going to let you in? Where am I going to

let you into? And thereafter, well, now you keep track of you. So now that's where the counting comes

in. Well, these are the people who have authenticated. For various reasons, you want to keep track of

that. Perhaps there's, I don't know, we've got things like the network goes down and when it comes

back up, the users that were previously authenticated and authorized can now just come back up because

we've accounted for them and we have track of they were, they had the privileges of X, Y and Z.

Yep. Yeah, all of that. Yeah, AAA is great. You're going to run into it a lot in networking.

It applies in our context here to NAC to network access control. It comes up in other places too.

Another place that you'll see it is when you are building out how a switch is going to be managed.

You can apply the, it's not a protocol, but the way of thinking of AAA to that.

You as a user allowed to log into this switch and you can run these specific commands, but no other

commands or you're a full admin and you can run any commands you want. And so you're authenticated

with using them in a password, let's say, you're authorized to perform a certain set of actions

and then accounting. It's all logged. Everything that you're doing is logged and tracked.

So again, you'll run into AAA, not just in the context of NAC, but elsewhere.

For example, switch management, very common. We'll be building AAA policies. And again,

AAA is not a, it's a concept as opposed to a protocol. There are protocols that support AAA

and let's talk about a couple of them here. Radius and then Tacax. Radius is the one you're going

to see the most often. And I think that's what you're always going to see when you're dealing with

with NAC. I don't, do you run into Tacax with NAC? I have actually read, well recently,

a customer has an old Tacax server and my colleague was like, why are you still doing this? So

yeah, I, I, because I know you can, but it's just, do you see it in the wild? Most of the

contextually, mostly you talk about using a radius server, but radius and Tacax, what are these

things? So start with radius. Radius is an acronym because everything is an acronym.

Remote authentication, dial-in user service. And in, in the words dial-in, we can tell that this

is about around a for a minute because no one dials into anything in them anymore. But back in the

day, when you, you would dial in with a modem across a phone line to connect to a network remotely.

And so that was, that was a very common thing that was done. I used to govern a modem that

had, or a governor router that was conceptually a bank of modems and people from all over the

place would dial in to this router with their modem to get a connection to the network. So

dialing in has that legacy concept behind it. Now we don't dial in anymore. I suppose that

technology exists. I don't know why it wouldn't work still if you had anything like that. Wow.

But I mean, that's, you, you, you, you, you've ever dial in with a modem to anything? Oh yeah,

because I always told people like growing up in South Africa, we were kind of like 10 years behind

modern-day technology. So I had dial up as a kid. I remember like mom's getting a phone call. We

have to, you know, unplug, re-plag the phone in all of that. Yeah.

That technology has certainly had was beginning to fade out in, in America. But before you were

born, I'm, I'm sure, or around that time, I guess starting to thin out, you didn't, didn't see it

quite as much. And of course, in 2026 now, where America's behind the rest of the world, by a

large, or much of the rest of the world anyway. But we're starting to get fiber-strung up even in

rural areas now. And I don't, I don't, I can't remember the last time I heard a modem make those

modem noises. It's just, it's been a very long time. I remember it clearly, because my one

where used to go on holiday, we always, we only had dial up there. So I must have been maybe 10,

which not that long ago, I mean, that's like early 2000s.

Wow. That's okay. I guess South Africa is a little slower in adoption than some, I don't know.

That's, that's, you can't predict all the pending in, in some many countries,

have changed their rate of technology adoption over years as their, is their economies have changed

and such. Well, okay. So we've got radius remote authentication, dial in user service.

It's very commonly used that today, you will see radius all over the place. And radius,

it's a way to communicate between a network access device and, and the AAA server. You

got to have a protocol that governs your communications back and forth in some way. And radius is

one of the ways to do that. Hey, we're taking a break from the podcast to deliver a message from

StatSeeker. If you're building your networking skills or leveling up into architecture operations,

visibility is everything. You can't improve what you can't see. StatSeeker gives engineers deep

insight into performance, utilization, and capacity across their entire network without complex

setup. It honors, covers devices and starts pulling every 60 seconds right out of the gate,

building a full fidelity granular history of your network from the moment it's deployed.

And that's what's really powerful. There's historical and average data. You can go back in time

to analyze trends or prove where bottlenecks actually exist. All with data that has the same

full fidelity qualities is real-time metrics. It's the kind of operational visibility that makes you

sharper, whether you're troubleshooting or planning growth and you can try for free at statseeker.com

slash networking. That's statseeker.com slash networking and tell them packet pushers sent you.

Have we mentioned the EPIET, Holly? I don't think so.

Authentication protocol. Okay, we didn't mention that one yet. All right. So if we back up a second

talking about AAA, we're authenticating our client that wants admission to the network with

some kind of credentials. Who are you? Prove it. And in the in NAC, we would do this with EP,

extensible authentication protocol. Many flavors of EP out there, like

50? I don't know. There's a lot of different variants of EPIET. So we'll just limit it to

let's call it extensible authentication protocol right now. Lots of people have extended it to do

lots of different flavors of EPIET with different pros and cons and use cases all depending on

what you're trying to get down and who you're talking to. So we are using EPIET to connect in

to a switch. There's an EPIET transaction that's happening and we want that extensible

authentication protocol to be handled by some backend server, which is probably speaking

radius. And so we're going to encapsulate EPIET packets inside of radius packets to get that

authentication done. So EPIET is going to go inside of radius. Radius is going to receive that

transaction and then return in response. Let's assume that the credentials that have been

presented are good. And it's going to return what that is that device is allowed to do via

attribute pairs. And so you mentioned the word attributes earlier on.

You remember we were talking about DHCP a long time ago. I don't know what episode that was.

It goes back a minute. But we were talking about options. There's all these different options

and different parameters that can be shared in a DHCP dynamic host configuration protocol transaction.

Well, radius has attributes and you can have a whole bunch of attributes being returned.

Okay, your authenticated thumbs up, your username password, et cetera, whatever was all good.

And I know who you are. You're in my policy list and I'm going to return via a radius packet,

a whole series of attributes that define what it is that's going to cover in your connection.

Your VLAN, you're going to be put into this VLAN, some VLAN number. That's an attribute.

And we're going to assign this access list to your port. And that's an attribute. And on down

the list is a whole bunch of things that could be returned via radius as part of the attributes.

Familiar? Yes. And some issues I've encountered when you're setting up your policies

for authentication and authorization, et cetera, in your NAC policies. And you're getting all

of these attributes back. And based on those attributes, you are performing some sort of function.

Right? Some sort of policy. But you don't really pay attention to the attribute,

how it's named exactly. And now your policy doesn't really match what the attribute is or what

the radius attribute is giving back. And now, well, things aren't working as expected because you

haven't made the correct matching game. As in someone ends up in the wrong VLAN or they have a

wrong access list, that sort of thing or? Yeah, or just everything looks good, but they aren't,

you not seeing them connect to the network in the expected manner or at all sometimes.

Because the attributes returned were incorrect, meaning there's a configuration in the radius

server, that's wrong. Or somewhere, either that's all your policy that you've now configured

down the line is using the returned attributes. But you thought it would be in some sort of

format. And it's not what you've now coded. So that was quite a bit.

Right. Now, similar to radius, then is TACX. TACX or TACX plus. Now you're going to have

some attack X stand for. And I forgot to write it down. Oh, I looked at it yesterday.

Well, I know what you're going to do because I know you're going to go look it up and tell

us in a second. But TACX is, it's not radius, but it is quite similar. It's a think of it as,

you're probably using radius. You might be using TACX. You're probably not using both. I would

guess, but compared to radius, TACX encrypts the entire payload of the conversation. And so some

people that are very security conscious prefer using TACX for that reason. I have run into it in my

experience, usually to govern network device administration, like I was saying earlier on.

These are the commands you're allowed to run on this router as a network administrator. You

know, that kind of thing. TACX back in the day, it was just a Cisco thing. But from what I can tell,

there has been some broader industry adoption of it. There was work back in the IETF,

the internet engineering task force, that's the group that writes all the RFC documents that

govern internet protocol standards. The IETF has done some work to make TACX through standards.

So there's this RFC 8907. It was an informational RFC, not a standard RFC because there are different

kinds of RFC documents. This one was informational. Basically, it was Cisco saying,

here's TACX. This is how it works. There you go. You want to use it? Go after it. Go have fun.

Then later on, I found that there was a much more recent RFC 9887. It's a standard that

updates 8907. That informational one I was just mentioning. But it's not just the TACX standard

by itself. It's a standard to run TACX over TLS 1.3, which is a security protocol, TLS 1.3.

9887 updates, 8907. When you see that in the IETF world, this RFC updates, this other RFC,

that usually means like, oh, you should take this new one and replace that old one. This one

updates it. So does that mean TACX is a true standard now, not just informational? I don't know.

I don't know. You say you've been seeing TACX in the wild, right? Was it a Cisco shop or was it

somewhere else? No, actually, I think it was a customer using ClearPass, but only the TACX function,

which is a bit of a crazy thing to do because ClearPass can do so much. It's like using

ISE for TACX, Cisco ISE. It's very complex and can do all sorts of fancy things and just doing

TACX is kind of a waste of money, but that was, I didn't really dive into it. It was more just like a

server needed to be upgraded or something, or need run TACX. Do you happen to remember what their

application for TACX was, what they were governing with the V of the TACX communications back

and forth? No, it was very high level thing and I was like TACX, okay. Ask a friend. Yeah, I do

so little consulting these days that sometimes there's little tweaks or changes in direction,

and I, you know, it's hard to know what things have seen wide adoption. So much of networking

is static. It doesn't change much. Other things, it's like, yeah, this changed a little bit. That's

changed a little bit. A curious of TACX has seen adoption beyond, you know, what I've seen because

again, typically it's radius. You're talking radius back and forth during a dot1X transaction,

not TACX, but you can. So if you guys at the listening have opinions on that,

the role of radius versus TACX is when it comes to dot1X. We'd love to hear it.

Packetbrushers.net slash follow up and send Holly and I your perception would love to get

you take of which TACX stands for before we move on. Yes. Terminal access control access control

system plus. Yes. So that's terminal access controller access control system plus. I mean,

let's just call it TACX. Yeah, which to me again, it's in the name. It's what was it for? What was

it's use and TACX originally was the only use case that we ever had for it was for governing

network devices. Terminal access control, you're logging into the terminal of this device and now

you need to put guard rails around what people are allowed to type into that session. What can

man's they're allowed to run? That was terminal access control. That was the point of it versus

radius, which was again, someone's back in historically dialing in to the network. Now we're

using it for port based authentication, same concept. So anyway, there we go. There we go.

So if you trendy words, I want to throw at you, Holly. And I get a pause because before we hit

record, we said, oh, this looks like it might be a shorter one. We got a little ways to go here,

but okay. So some trendy terms that I think may come up in your .1X or your NAC, I should say,

a conversation. One is micro segmentation, micro segmentation. You're not in your hidden

smirking. So everybody wants to do micro segmentation. Whether they need to or not is a different

story, but it's one of those trendy terms, almost adjacent to AI where we're like, we've got to do

micro segmentation. Yeah. So micro segmentation is the idea of, well, it's backing up a stack.

If you've got a firewall, a firewall governs what can talk to talk through it to another device.

The firewall sits in the middle of it's the traffic cop. It says, you on this side of me can talk

to this device on the other side of me, or you can't. And there's got a big old security policy

and is controlling those conversations. Micro segmentation is everybody's a firewall or every port has

got a firewall like concept assigned to it and so on because you're governing not just traffic

flowing through a particular firewall. That's an enforcement point on the network, but you are

governing every device's ability to talk to every other device on the network. So it's segmentation,

but it's micro segmentation. We're governing literally by at every endpoint who can talk to who

else. And so that can come up in a NAC conversation, I think, because maybe micro segmentation is part

of your larger security policy and NAC is part of that in your larger micro segmentation way of

looking at your network. It's just one thing you mentioned earlier, Cisco's SGTs, whatever sounds

group tags. I think we just call them group based tags, but those come into micro segmentation

because you now tagged the device with a specific tag and that's kind of a way that you can segment

different devices as well, just in case anyone was wondering. Yeah, and that's one of the annoying

things about micro segmentation. There is not one standard single way to do it. There's a whole

bunch of different ways to do it. And so if you're running micro segmentation, you can do it the way

you just described. You can do it with a controller that is able to talk to all the firewalls that are

like like a Mac OS devices built in firewall and a Windows box is built in firewall. And so you

control those firewalls with a central controller that knows what policy should be pushed into everybody's

individual computer, which is crazy. But that's another way to do it. And there's other ways too.

So yes, secure group tags. What did you say they were in HBU?

Group based tags. Group based tags. That sounds plausible. Okay. Another term here that might come

up, zero trust network access, the ZTNA specifically. So not just zero trust, which is a big concept

around computing where no endpoint trusts any other endpoint. Without having a constant check

of security posture and endpoint posture and making sure that everybody's up to date and is

patched appropriately and so on. Zero trust network access. ZTNA is a subset of the broader

zero trust computing initiative. ZTNA. It's VPN access is really I think a bit, but it's ZTN.

It's ZTN on steroids. I guess we've added some things. We're adding posture assessment,

adding device profiling. And it ZTNA is part of the the the nest zero trust architecture 800-207

document that was published almost six years ago now. I guess 2020 when that came out and is the

defy as the document that everyone's very excited about. And as it drives their zero trust

initiatives within their companies, because like a lot of people say, oh, you got to do microsegmentation.

It's like, oh, we got to be doing zero trust. And microsegmentation might be part of your zero trust

initiative. One thing to clarify, I think we keep using the word portal. You keep using the

posturing, but I don't think we've actually explained what posturing is. You want me to get

away with anything because this is a topic that I've been doing. So like, it's so close to my heart

because I've been doing so much of it. And all of these terms, I sat in like posturing, like,

why all of these people keep looking up device posturing? What is this? So I think it's important

for listeners who might be in the same boat as me. So well, I mean, I'm saying I'm saying posture

assessment. I'm saying a profiling. And so since you've been doing a lot of that, what is it?

Well, you know, device posturing is, I guess, trying to understand what that device is. There's

certain don't use the word attributes, but certain things about that device that maybe you

checking to see if they are correct. Maybe it's a specific OS. Maybe it's things like that. And

that's a posturing is. And based on that, you can do certain things. Yeah. You want to know that

the device that you're about to admit to the network perhaps is running a specific device,

so OS specific version. Well, why might you care about that? Well, maybe they've gotten,

if they had an earlier one that has a known security vulnerability, you don't want to allow that

device on your network because you consider them to be a threat because they're vulnerable to a

bad actor, leveraging that vulnerability and using that device as a jumpoff point to attack

your network. And so I will not allow a device on my network that is not some set of known good

operating systems that you will allow on. And so how do you know those things? Well, you can probe

the device and depending on how it responds to certain probes over the network, you can come to

conclusion about what device operating systems are probably running. You could be running a

client on there that is actually shimmed into the device and can report back exactly what version

of the operating system is running. There's ways. You can also determine things like

it's running antivirus or it's not running antivirus. And then come up with a

posture. You're saying posturing. Is that because I think about this posture assessment or

profiling? Is posturing all yet another way? It's very possible that I just made that word up

along the way. You know, it's the verb of posture assessment. This started out as network

admission control when it's actually network access control. I make things up too. It's fun.

I might have not, I might have heard it along the way. I just like I can't give you a verified

source of that word. How were you delivering posturing? What was the techn...

was there a certain server or software package that you guys were delivering to make that happen?

I think I'm not actually sure. I think there was more of something that was in the works for us.

But now often I actually deal with out like cloud and accelerations and that's more

there's some software that does the posture assessment and fingerprints the device and things

like that. Yeah, the fingerprinting thing is again a whole bunch of ways you can basically

make an educated guess as to what this device is based on what you can see about it as it

transmits traffic across the network. All right. All of that was we got off. We started with

micro segmentation. We mentioned ZTNA zero-trust network access which is VP and remote VPN access

but with all this posture assessment stuff built in and more because it's coming under the heading

of zero-trust computing. I do think of ZTNA as a bit of a rebrand because we had posture

assessment in plain old VPN stuff before. It's just now we're saying, wow, it's zero-trust

guys. We're going to continually perform posture assessment on a device and not just do it one

time when a device is admitted to the network for the first time and then we trust them until they

log off before we ever check. It's a more the idea is it's a constant thing. You are checking all the

time that this device conforms to what your requirements are via a regular series of posture

assessment actions that you're taking. You might also see universal ZTNA and I've also noticed in

vendor literature now they're talking about universal ZTNA. It's just an expansion of ZTNA zero-trust

network access to be part of some larger security framework. It applies to policies and devices

consistently no matter how they connect to the network. I see universal ZTNA coming up as a

different way to describe NAC. I think is what they're really getting at no matter how you get on

the network. We got a universal set of policies that are going to apply to you. We don't care if you're

hitting wireless or Wi-Fi or coming in over VPN. We're going to apply policies to you.

I say that because it gets confusing. What do you mean? What are you actually doing? Are we doing

.1x here? What are we doing? It can get... Holly, to me, this is one of the frustrating things about

being in networking. There's a mix of standards, trendy terms, and then vendor marketing terms and

brand names that all mixed and conflated around and so it can get fuzzy and difficult to understand

exactly what we're talking about when we're talking about something and it gets all kind of

hand-wavy. Do you understand the frustration I have? Very much so especially when you start

bringing those marketing terms because sometimes the marketing terms progress into trendy terms

and then suddenly they've been used in other technical conversations. I'm like, that's a marketing

tone. That's not like a thing. I say that to educate those of you that are new to networking,

one of the skills you develop as you become an engineer is learning to ask your account reps

exactly what they mean because they'll say a term. It'll mean something to you because you

studied it for a certain example. They said, that means. It means .1x in a radio server and

eap and whatever it means to you and then it's not what they mean. They mean something else but

they're using the term NAC in more of a marketing sense than in a technical sense and you have to

not assume that when Holly's in the office explaining it to you that she's means what you think she

meets. I just mean basic policies and firewall routing. I just like the term NAC.

I mean, it happens. Well, it does. What happens to some people is that our technical engineers

like you, Holly, where you're much more technically minded, you get saddled with slides you have to

use because that is what the company dictates that you will use. That is a bit hand wavy and then

you need to, okay, we've used those. Now, let's put those away and talk about what's really going

on so that the engineer you're sitting in front of can take a fair assessment of the technology

that you're presenting to them. Another thing to think about when it comes to NAC and all these other

terms that we're kicking around. NAC itself isn't that exciting. It's been around forever, right? It's

it's it's even assumed to be in place, especially for wireless technology. So to make the security

conversation exciting again in 2026 companies are going to roll vendors are going to roll their NAC

solution into some larger security solution of which NAC is just one part and this larger security

solution is going to do all this other stuff too. And you're going to be excited about NAC again.

So you you excited, Holly? I like it. I think it's cool. It's fun. It's also like

it's imperative. You don't know what's connecting to go network these days. There's so many IoT

devices out there. I just think that it's become more I think it's almost had a resurgence because

of all of the devices out there. Well, the thing the point that I want to make here about a lot of

these new terms that are kind of associated with NAC whether or not they are actually part of NAC

is that there's a trend in in marketing and in across any sort of technology vendor

you take something that's old that's been around for five, 10, 20 years. How do you repackage it

so that a customer wants to buy it? And a lot of times what happens is either a new term that

describing something old comes up and becomes the thing that you have to have or you build a

bigger system like especially with security security systems or security ecosystems. I should

say that vendors are creating. NAC is just one part of our much larger, wow, super exciting,

you know, umbrella security system, whatever that might be that governs everything. NAC's a part

of it and they got 20 other functions in this massive security solution that they want you to buy

to get you excited about that technology again. So you can't buy just NAC. Oh yeah, we have NAC. It's

part of this huge thing and you don't turn on everything else that's available in the gigantic

package, but you had to buy it to see you could get NAC. And they rebranded and they call it

something and if they're really clever, they will force you to buy certain switches that can

at the hardware level, hardware level do the security thing that you're trying to do. You have to

have a special hardware to make it happen too. And so they're driving a much more expensive buy

from you because oh, will you want to do that? Sure. Oh, you've got those old switches. Sorry,

you got to buy the new switches to do the security thing that you want to do and then you're doing

a great big buy. And that's, I don't want to say that's how they get you because hey, you know,

vendors are there to get paid and you're there to secure the network. So they're providing you

a solution, but it can be, oh, it can be a lot to keep up with because the next time your rep shows

up a year ago, they were selling your X and now they're selling your Y. They're like, well,

what happened? Oh, it's the same thing. We just rebranded it. Well, you're killing me right now.

And I think also technology and technology evolves and like I've seen it with cloud NAC solutions

now, older switches can't create some of the secure tunnels to speak to the clouds. So then you

need some kind of server to do normal radius that that server can then connect to the cloud and it's

well, you just wanted to do this very simple feature, but you wanted to like improve or, you know,

modernize a certain part of your network with, you know, keeping your same 20 old switches. And

unfortunately, at some point, everything's got to start modernizing together, which becomes very

pricey. Yep. There are, I'm not saying there's never a reason to upgrade your hardware, right? I'm

just saying, this is one of those things that sometimes you just don't see it coming. I just wanted

an X solution. Yeah. Well, to get that with all the pieces and parts involved, especially if you

got aging hardware, it can get, it can get to be a lot. It can get big, big spend that maybe you

weren't planning on. So, okay, Holly, let's close with this. Just, I just wanted to rattle off a

list of, of NAC solutions that are out there. AAA servers for the NAC solution, specifically,

I should say, one of them we already mentioned at HPE's got the Aruba Clear Pass. That is, I think

the most popular, certainly one of the most popular AAA servers that are out there. You must

see that in the wild. Yeah, between that and I would say that and Cisco OS, those are the,

which I've worked fun enough with before I came to HPE as a Juniper employee, we didn't have

AAA server. So, I integrated a lot with Clear Pass and Cisco OS. So, the JCME did some fun projects

with Cisco OS specifically, just for fun, you know, good to know, but running to Clear Pass a lot,

obviously now that I've sell it. Cisco OS was the second one on my last identity service engine.

Before ICE, we use Cisco access control servers. So, if you're reviewing some really old Cisco docs

or you stumble across some really old blogs, you might run into Cisco ACS. That was a very long time

ago. Four Scouts got a product called 4D, Fortinet, the security company known best for their

firewall ecosystem, I suppose, but they have Fortinet NAC in the Fortinet world, everything's

Fortinet something. Fortinet NAC is their AAA server. Extreme networks has got something called

extreme control, and there's a lot of stuff called extreme whatever in the extreme world.

There's a company called PortNox and PortNox, which is one word, PortNox Cloud, it's a cloud-based

NAC server, which you were just talking about needing to be able to devices to be able to connect up

to the cloud for their communications. Yeah. It's a company called Elicity. Elicity is a startup for

a recent addition to the networking world. They do, they do micro segmentation and they're also in

this NAC space. Here's one I ran across with like, it exists, but I don't know that anyone's

using it, but it's Microsoft's network policy server, Microsoft NPS. It's free. Like if you're in

the Microsoft ecosystem and you're running Microsoft Windows Server, you probably have network

policy servers, something you can turn on. But from everything I was reading, it's like, no, it uses

this. It's not robust compared to other solutions. It might be good for just a basic simple

implementation, but not if you need to get at all fancy. Acemi is got, so if you're looking for

a free one that you want to work with open source, I haven't tried this, so maybe it's, maybe it's

terrible. I don't know, but packet fence by Acemi is a free open source, AAA server,

radio server, you can host yourself, you can host it in the cloud too if you want, you can have them

do that for you. That part's probably not free. Most of the time if you host it in their cloud,

they're going to charge you something, but you can download it and fire up packet fence by Acemi

and run radius. I've actually been meaning to try that since it is open source and free to run

locally. See if I can fire up and install it, see how good or bad it is. A lot of times the open

source, some of the open sources are absolutely great. They truly are. Some of them just can be

clunky, a little difficult to perform the configuration and do the administration on.

Works good, but it just sucks to interact with, so packet fence, I don't know, I've never tried

packet fence before. Interestingly, Palo Alto Networks, one of the, I think the biggest security

company in the world doesn't have a dedicated NAC solution, but they do tons of NAC related

stuff and they can integrate with certain NAC products, but it's like, you can't go to Palo Alto

and say, hey, I want NAC. They'd be like, we don't have that, but we do interact with, they'll

get you a whole bunch of NAC products that they do work with. So that was just a quick overview.

I'm sure there's, there was not, it's not a list of all the things. I just wanted to throw

some brands out there and maybe plant that in your mind. And if you don't remember, any of those

except for a Rubik Clear Pass, HP Rubik Clear Pass and then Cisco Ice Identity Service Engine,

those are the two that you're likely to run into most frequently. And Fortenac.

You see a lot of Fortenac too? I did a lot with Fortenac, yeah. Also, I just love the 40 names.

It's just so cute.

Everybody, everything, yeah. Okay.

All right, Holly, how did we do as an intro to NAC as a concept? You feel good?

I feel like I'm undoing the wrongs that I experienced as my, I won't even say intro to NAC,

because I never had one just being thrown into NAC. I would have loved to listen to this episode

before jumping on customer calls. So hopefully you hope someone else, someone else not

suffer like I did. We have two more episodes planned around the NAC where we're going to take some

of these concepts and jargon and protocols and get more specific with them. And that'll help

put some of the puzzle together here as you understand how things happen. So the idea is a packet walk.

Okay, a device is going to connect to a switch and we want to use .1x to put them on the network.

NAC, how do we do that? What actually happens? What goes on? We're going to walk through a

wire transaction and then a wire less transaction. So if you're like, have questions and you're

looking for more details, that's coming. We're going to do that in parts two and three of the NAC

series. And we have a guest in mind who's a part of the packet brochures podcast network already.

And if we can coordinate our recording schedule with her, she actually wrote a book on wireless

security JJ Manella, hoping she can join us for one or both of those episodes to get into this.

So we're literally going to talk to someone who wrote the book about about lots of things to do

with security, but certainly including NAC. She's great. And looking forward to that.

JJ, if you're hearing this, I haven't talked to you yet. So hoping that that works out for our

sketch. Well, okay, just remember if you're looking for Holly now, she is not just Holly

Metlitsky, but Holly Metlitsky Podbilac out there. And over time, you're going to see her name change.

Congratulations on your wedding Holly. And just now I got to now I have to get used to your new last

name. I could go to say Metlitsky. I need to get used to it too to be fair. It sounds very foreign.

Okay, to all of you listening, thank you for listening to N is for networking today.

If you made it to the end, leave a comment that says, I grant Holly's laptop full access. And you

can do that on Spotify, YouTube or anywhere that you're listening or watching this podcast. And

leaving those comments makes the algorithm happy. And we all live to serve the mighty algorithm.

Again, in part two, we're going to walk through a wired switch connection governing three,

and in part three, we're going to do wireless NAC. And I'm hoping my friend JJ Manella can

join us for both of those. And JJ's book, by the way, I mentioned she wrote a book. Yeah, it's

awesome. Wireless security architecture, designing and maintaining secure wireless for enterprise.

That's that JJ's book. I have a copy. It's great. I've referenced it many times. So I think it's

crossed that you can join us, like, share and subscribe. And keep letting your friends know about

MS for networking. We can tell from the stats that more and more of you are finding MS for networking.

And you then you go, when you find it, you go all the way back to the beginning and you binge.

So thanks for that. And, and fear not, we got another, I don't know, this is at least 250 topics

on our list to go through. So, and it's for networking is going to keep going as long as you can

keep listening. And for what it's worth, and it's for networking is the number five,

whilst popular series out of the 13 active shows in the Packup Pushes podcast network. So we're

climbing the ranks. We are climbing up there. So until we meet again, just remember, networking

isn't hard. Other people figured it out. So you can too.