4.1. Creating Policy

One of the most important pieces of any network access control infrastructure is the policy engine. The policy engine is central to a NAC deployment because it controls your entire NAC deployment by creating user access rules and controlling enforcement point in the network infrastructure.


NAC central policy engines are called many different names:

  • Policy engine

  • Policy decision point

  • Policy server

  • NAC manager

  • NAC controller

The policy engine is responsible for determining whether a device or a particular usage should have access to the network. The policy engine also controls all the enforcement points on the network, whether the policy engine is a network appliance or a software agent running on a desktop machine or network server.

One of the primary roles of a policy engine is to make network access decisions based on access control policies determined by the NAC administrator. The core of the NAC policy typically includes three pieces of information:


  • Network information: Source, destination, port, and protocol

    Traditionally, a firewall policy examined the network information. The policy engine incorporates that function.

  • Endpoint integrity: Identifying hardware, applications, and the security posture of the endpoint.

  • User identity: Identifying the user and the user's groups.

4.1.1. Controls

With NAC, this policy includes network, user, and device information, using the policy engine and its primary job functions. 802.1X control

The policy ...

Get Network Access Control For Dummies® now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.