Network Access Control: Network security starts with user connectivity
Full visibility of all devices connected to your network, policy-based access control, and automated responses to security risks
Network Access Control (NAC) acts as an uncompromising guardian of your corporate network: it checks the devices connected to it, their permissions, and their movement within the network, minimising security risks and ensuring full control over network access.
Access control and network protection
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Comprehensive protection of network access
Policy-based access
When a connection attempt is made, NAC first evaluates the identity of the user, the type and identity of the endpoint device, the network connection point (e.g., a specific network port), and the security posture of the device. This includes verification of system updates, presence and status of security software, and other compliance parameters.
Segmentation and risk management
NAC’s key benefit lies in risk segmentation and management. For example, an
employee is granted full access to the company’s internal network when using their
company laptop, but when connecting from their personal computer at home, the
same employee may only access a separate network with restricted access rights. A
visitor is granted internet-only access, and, for instance, a company printer is
permitted to communicate exclusively with its designated print server.
Visibility
Complete visibility of all connected elements is another advantage of NAC. It enables detection of the so-called grey zone of infrastructure, such as unauthorised active network elements or unknown IoT devices.
Choose your operating scenario
- „S“ Essential
- Single control node option (Publisher).
- Basic service instance operated in CRA’s or the organisation’s cloud.
- Recommended for organisations with up to 1,000 authenticated devices.
- „M“ Professional
- Option with one control node (Publisher) and one replication node (Standby Publisher).
- Redundant service architecture with automatic switching in case of an outage.
- Recommended for organisations with up to 5,000 authenticated devices.
- „L“ Enterprise
- Option with one Publisher-type control and replication node, and the possibility of multiple Subscriber nodes.
- Highly scalable solution for multiple sites, with a geo-redundancy option.
- Recommended for organisations with up to 15,000 authenticated devices.
- „XL“ Mission Critical
- Service architecture defined according to the organisation’s individual requirements.
- Recommended for organisations with more than 15,000 authenticated devices.
We hold the necessary certificates and security is our top priority
- Physical security
Physical security at BT3 level in accordance with the methodology of the National Security Authority (NBÚ). - Proven technologies
We use and offer only proven and up-to-date technologies. - Active support
We provide 24/7 active support.
- ANSI-TIA942
The technology is operated from an ANSI-TIA942 certified DC TOWER data centre - Common Criteria Certification for Information Technology (IT) Security (ISO/IEC 15408)
Certification at CC EAL 4+ level - ISO 9001
Quality management systems - ISO 14001
Environmental management systems - ISO 19011
Standard for the certification of internal auditors - ISO/IEC 20 000-1
Information technologies – Service management system requirements - ISO/IEC 27001
Information security management systems - ISO/IEC 27017
Information technologies – Security techniques – A set of guidelines for cloud environment security and for minimising the potential risk of security incidents - ISO/IEC 27018
Information technologies – Security techniques – A set of procedures for the protection of Personally Identifiable Information (PII) in public clouds acting as PII processors - SOC Type 1 and Type 2
SOC 2 Type 1 and Type 2 certifications, issued in accordance with American Institute of Certified Public Accountants (AICPA) standards and requirements, cover information management and security in organizations - ISO 50 001
Energy management systems - PCI-DSS
Compliance with the requirements of PCI-DSS for data centre operators - NBÚ
Certificate for access to classified information up to the classification level ‘CONFIDENTIAL’ - GDPR compliance
The infrastructure is fully compliant with GDPR requirements
Is the number of connected devices growing faster than your ability to manage them?
NAC gives you full control over device and user network access. It automatically distinguishes employees, guests, and IoT devices and assigns them appropriate access levels. In heterogeneous environments with diverse endpoint types, it reduces the risk of security incidents, limits their propagation within the network, and contributes to higher infrastructure stability and operational reliability. Get in touch, we will be happy to discuss everything in detail.
Network Access Control in detail
- Historically, local networks were considered trusted environments. NAC reflects today’s reality, where Wi-Fi devices, BYOD, IoT elements, external users, and even compromised endpoints routinely connect to internal infrastructure, making the assumption of trust obsolete.
- The core NAC principle is ‘verify the identity and posture of the device before granting it access’. It goes far beyond a simple Wi-Fi password, validating who is connecting, from what device, and whether they meet security requirements.
- What does NAC control? User and device access, their network placement and permissions. NAC is not used primarily for blocking access, but for network segmentation and controlled limitation of device movement.
- NAC significantly reduces the risk of an attacker proceeding to compromise other systems, accounts, and networks after breaching a network and gaining initial access to it.
- NAC is not an antivirus, EDR, or attack detection tool. It is a tool for defining and enforcing access policies based on your rules.
Aruba ClearPass, as the core component of the service, acts as the Policy Manager responsible for user and device authentication. It determines what level of access an employee, guest, printer, or camera receives.
The service architecture distinguishes the roles of ‘Publisher’, ‘Standby Publisher’, and ‘Subscriber’. These represent individual nodes within a multi-instance ClearPass environment – typically in an HA cluster or a distributed environment. Publisher is the primary (control) node in the ClearPass cluster, hosting the main Policy Manager database. It is responsible for managing the configuration, licence, and setup replication to Subscribers and authentication.
Subscriber (Standby Publisher) is a replication (subordinated) node that downloads configuration from the Publisher. It supports authentication scaling (e.g. across multiple sites) and provides failover functionality in the event of an outage of the main node. Like the Publisher, a Subscriber can process authentications and enforce access policies.
As a virtual appliance, ClearPass can be operated in CRA’s cloud environment, in the organisation’s environment, or in a public environment, such as Microsoft Azure or Amazon AWS.
With this service, we can authenticate devices such as PCs, laptops, mobile devices, APs, printers, and BYOD devices. Authentication can be performed via switches, APs, ClearPass, or Active Directory.
The service provides multiple authentication methods, including 802.1X, MAC Authentication, and TACACS+ / RADIUS, and integrates with a wide range of security products from various vendors (e.g., Active Directory, MDM, firewalls, SIEM).
NAC can be deployed in classic metallic LAN networks, Wi-Fi networks, as well as in remote access networks.
- Identification and authentication. Each network access attempt is automatically analysed:
- User (identity verification),
- Device (type, operating system, and fingerprint),
- Connection location and method,
- Device security posture.
- Policy evaluation. Based on defined security policies, the system decides:
- Whether access will be granted,
- To what extent,
- Or whether the device will be restricted or denied entirely.
- Dynamic control and response:
- Access rights can be changed in real time.
- The system dynamically segments the network, isolates high-risk devices, and can automatically respond to security incidents.
NAC can be delivered in two functional variants across all deployment scenarios. The basic, Standard option, provides core functionality, i.e., access policy analysis and authentication, checking who connects, from what device, and to which resources.
The enhanced, Advanced option, adds device security posture checks before and during network access. It detects whether an antivirus is active and up-to-date on the device, and decides about granting network access accordingly.
All devices within an organisation’s network must be operated under the same variant, meaning that the Standard and Advanced options cannot be combined in a single service package.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)