NAC Agents

How can devices connect to a network that has a robust access control configuration?

NAC doesn't only do authentication and authorization, like previously stated. It also checks and enforces compliance with a group of security policies. It usually checks:

• OS version
• Patch level
• Antivirus status
• (maybe) installation of specific security software
• User Profile
• Device type
• Location

NAC is almost always implemented in enterprise network that have a guest network or a BYOD policy. It's also implemented in networks that have a high amount of IoT devices. Due to their simplicity, they're vulnerable to attacks and always should be secured.

Agent Types

There are three types of NAC agents:

• Permanent/Persistent
• Dissolvable/Nonpersistent
• Agentless

Permanent NAC agents are required to have a specific software installed before connecting to the network. That program is responsible for communicating with the centralized NAC management platform on the network, sharing some of the required information listed above to pass authentication. Agent-based NAC can also perform automatic remediation, like the installation or updating of antivirus software, for example, should it fail the baseline security checks enforced by the network.

Dissolvable NAC agents have the connection parameters loaded into memory but aren't saved. The user of the device would be prompted for credentials every time they connect.

Agentless NAC agents don't have to do anything. The network handles everything, usually using port-based NAC and/or network scans. It can check for open ports, active services, the device's DHCP fingerprint, and other things to gather information about the device. While it isn't as detailed as permanent or dissolvable agents, its enough to get the job done. And it doesn't require any configuration on the agent side.