10.5. Other Enforcement

You can leverage protocols and standards for NAC enforcement in new or unique ways.

10.5.1. DHCP

The Dynamic Host Configuration Protocol (DHCP) is the method that most enterprises use to assign IP addresses to endpoints that connect the network. When a host or endpoint connects to the network, the endpoint sends out a Layer 2 broadcast (called a DHCP request) that asks for an IP address. The DHCP server on the network then responds to the request with an IP address from its database for the endpoint to use so that it can connect to the network.

DHCP makes assigning IP addresses dynamic and prone to change. An endpoint may get a different IP address each time it connects to the network, which makes audit trails for traffic difficult to follow. Without DHCP in the network, all endpoint machines would need statically configured networking, which would create a deployment and management nightmare. This process doesn't scale for large environments.

Certain NAC vendors can use DHCP to control network access for endpoints:

  1. When an endpoint connects to the network, it requests an IP address.

  2. The NAC solution, rather than the DHCP server, responds to the DHCP request.

  3. If the endpoint doesn't meet the corporate security policy or the user isn't authenticated yet, the NAC DHCP server sends a quarantine IP address back to the endpoint.


    This quarantine IP address differs from the normal IP addresses that corporate machines receive. DHCP enforcement separates user ...

Get Network Access Control For Dummies® now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.