What is Port-Based NAC
"PNAC" or Port based Network Access Control is a security solution, based on dot1x.
If a device is not in the database, it will be moved to the guest network automatically if there is a function implemented that allows this to happen. This function can be implemented on the switch or on a submitted port. Even so, this function decreases the security, because everyone can have access to the assigned network, and it is therefore not recommended. If you decide to use this function it will connect with the server. After it is connected, patches and/or updates will follow and alarm messages will send the information to your IT department.
To add a new computer to the database, you must enter the VLAN, MAC-Address, and Site. In order to have a comprehensive overview of each component, all switches are added to the "PNAC" module, specifically to the "Active Network Components" field. The IP address and name of the switch must be entered so that the radius server can allocate a request to a switch or a switch group. New sets of rules for access on the switch groups can be defined.
Usually, one or two VLANs are defined in a small company, one for internal purposes and one for guests, if this feature is desired. The VLAN is automatically assigned to the switch-port based on the device, ensuring that the device is always in the correct VLAN. The VLAN configuration is located on the switch1, but it must also be added to the "PNAC". Unknown devices are either rejected or, as previously mentioned, have their VLAN - the guest VLAN.
Why would you need PNAC
The "PNAC" module is a safe solution for the network security in a company. It has the following advantages:
- dynamic VLAN allocation - The VLAN is assigned automatically to a port based on the device to make sure that the device is always in the correct VLAN, no matter the Port or Switch it is connected with as long as it is in the same company.
- supports Voice-Vlan - a phone with VoIP is used as some kind of switch to connect with the office VLAN
- easy to install
- network documentation - an automatic network documentation allows a quick search for devices, their use and where they are connected
- supports all LAN-devices - "PNAC" automatically sets ports of switches to their respective VLAN, so there is no need for a separate agent and all devices are supported (e.g. printer, smartphones, a.s.o.)
- mail notification - if an unknown device is connected, an alarm will be sent out per email
- work relief - since it is easy to use, you can work more precise
- multisite concept - you can put devices from different sites in one VLAN if you wish to (there are other possibilities too)