Port-Based NAC

What is Port-Based NAC

"PNAC" or Port based Network Access Control is a security solution, based on dot1x.

If a device is not in the database, it will be moved to the guest network automatically if there is a function implemented that allows this to happen. This function can be implemented on the switch or on a submitted port. Even so, this function decreases the security, because everyone can have access to the assigned network, and it is therefore not recommended. If you decide to use this function it will connect with the server. After it is connected, patches and/or updates will follow and alarm messages will send the information to your IT department.

To add a new computer for the database, you need to enter de VLAN the MAC-Address and the Site. In order to have an overview of each component, all switches were added to the "PNAC" module, more precisely to the "Active Network Componets" field. You must enter the IP address and the name of the switch, so that the radius server can assign a request to a switch or a switchgroup. You can define new sets of rules for access on the switchgoups.

Most of the time one or two VLANs are defined in a small company. In case you want to implement this feature, one for internal purposes and one for guests. The VLAN is, based on the device, automatically assigned to the switch-port. This makes sure, that the device is always in the correct VLAN. The VLAN configuration is located on the switch1, but you must also add it in the "PNAC". Unknown devices are either rejected or, as already mentioned, have their own VLAN - the guest VLAN.

Why would you need PNAC

The "PNAC" module is a safe solution for the network security in a company. It has the following advantages:

  • dynamic VLAN allocation - The VLAN is assigned automatically to a port based on the device to make sure that the device is always in the correct VLAN, no matter the Port or Switch it is connected with as long as it is in the same company.

  • supports Voice-Vlan - a phone with VoIP is used as some kind of switch to connect with the office VLAN

  • easy to install

  • network documentation - an automatic network documentation allows a quick search for devices, their use and where they are connected

  • supports all LAN-devices - "PNAC" automatically sets ports of switches to their respective VLAN, so there is no need for a separate agent and all devices are supported (e.g. printer, smartphones, a.s.o.)

  • mail notification - if an unknown device is connected, an alarm will be sent out per email

  • work relief - since it is easy to use, you can work more precise

  • multisite concept - you can put devices from different sites in one VLAN if you wish to (there are other possibilities too)