Port-Based NAC

What is Port-Based NAC

"PNAC" or Port based Network Access Control is a security solution based on dot1x.

If a device is not in the database, it will automatically moved to the guest network, if there is a fuction implemented that allows this to happen. This function can be implemented on the switch or on a submitted port. Even so this function decreases the security, because everyone can have access to the assigned network and is therefore not recommended. If you decide to use this function it will connect with the server. After it is connected, patches and/or updates will follow and alarm messages will send the information to the IT department.

To add a new computer for the database you need to enter de VLAN the MAC-Address and the Site. To have an overview to every component, every switch was added in the "PNAC" modul, in the "Active Network Componets" field to be exact. You have to enter the IP address and the name of the switch so that the radius server can assign a reguest to a switch or a switchgroup. You can define new sets of rules for access on the switchgoups.

Most of the time one or two Vlans are defined in a small company. One for intern purposes and one for the guests, if you decide to implement this feature. The VLAN is, based on the device, automatically assigned to the switch-port. This makes sure, that the device is alsways in the correct VLAN. The VLAN configuration is on the switch1, but you also have to add it in the "PNAC". Unknown devices are either rejected or, as already mentioned, has its own VLAN, the guest VLAN.

Why would you need PNAC

The "PNAC" module is a safe solution for the network security in a company. It has the following advantages:

  • dynamic VLAN allocation - The VLAN is assigned automatically to a port based on the device to make sure that the device is always in the correct VLAN independently of the Switch or Port it is connected with

  • supports Voice-Vlan - a phone with VoIP is used as some kind of switch to connect with the office VLAN

  • easy to install

  • network documentation - an automatic network documentation allows a quick search for devices, their use and where it is connectet

  • supports all LAN-devices - "PNAC" automatically stes Ports of Switches to their respective VLAN, so there is no need for a seperate agend and all devices are supportet (e.g. printer, smartphones, a.s.o.)

  • mail notification - if an unknown device is connectet an alarm is send out per email

  • work relief - since it is easy to use you can work more precise

  • multi site concept - you are able to put devices from different sites in one VLAN, if you wish to (there are other possibilities)