Home » Network Access Control (NAC): 802.1X, RADIUS และ Posture Assessment
Network Access Control (NAC): 802.1X, RADIUS และ Posture Assessment
Network Access Control (NAC): 802.1X, RADIUS และ Posture Assessment
Network Access Control (NAC) เป็น security framework ที่ควบคุมว่า device ไหนสามารถเข้าถึง network ได้ โดย authenticate identity (ใครเป็นใคร), authorize access (ให้สิทธิ์อะไร) และ assess posture (device ปลอดภัยหรือไม่) 802.1X เป็น standard สำหรับ port-based authentication, RADIUS เป็น AAA server และ Posture Assessment ตรวจสอบ device compliance ก่อนให้เข้า network
ถ้า network ไม่มี NAC ใครก็เสียบสาย LAN หรือ connect Wi-Fi แล้วเข้า network ได้เลย — รวมถึง unauthorized devices, compromised laptops, personal devices ที่ไม่มี antivirus NAC ทำให้ network “ถาม” ก่อน: คุณเป็นใคร? device คุณปลอดภัยไหม? แล้วค่อยให้เข้าตาม policy
NAC Components
| Component |
Role |
ตัวอย่าง |
| Supplicant |
Software บน endpoint ที่ส่ง credentials |
Windows 802.1X client, Cisco AnyConnect, SecureW2 |
| Authenticator |
Network device ที่ enforce access (switch/AP) |
Cisco Catalyst switch, Aruba AP |
| Authentication Server |
AAA server ที่ verify credentials + return policy |
Cisco ISE, Aruba ClearPass, FreeRADIUS |
| Policy Engine |
กำหนด rules: who gets what access + posture requirements |
ISE policy sets, ClearPass enforcement policies |
| Posture Agent |
Agent บน endpoint ที่ report device status |
Cisco AnyConnect Posture, ClearPass OnGuard |
802.1X Authentication
| Feature |
รายละเอียด |
| Standard |
IEEE 802.1X — Port-Based Network Access Control |
| Protocol |
EAP (Extensible Authentication Protocol) over LAN (EAPOL) |
| Flow |
Supplicant ↔ EAPOL ↔ Authenticator ↔ RADIUS ↔ Auth Server |
| Port States |
Unauthorized (blocked) → Authorized (open) after successful auth |
| Wired |
Switch port remains unauthorized จนกว่า 802.1X auth สำเร็จ |
| Wireless |
WPA2/3-Enterprise ใช้ 802.1X สำหรับ Wi-Fi authentication |
EAP Methods
| Method |
Authentication |
Certificate Required |
Security |
| EAP-TLS |
Mutual certificate (client + server) |
Both client + server |
Highest (mutual auth) |
| PEAP (MSCHAPv2) |
Server cert + username/password |
Server only |
Good (common in enterprise) |
| EAP-TTLS |
Server cert + inner auth (PAP/CHAP/MSCHAPv2) |
Server only |
Good (flexible inner method) |
| EAP-FAST |
PAC (Protected Access Credential) |
Optional |
Good (Cisco proprietary) |
| MAB (MAC Auth Bypass) |
MAC address (fallback for non-802.1X devices) |
None |
Low (MAC spoofable) |
RADIUS (Remote Authentication Dial-In User Service)
| Feature |
รายละเอียด |
| Protocol |
UDP 1812 (authentication), UDP 1813 (accounting) |
| AAA |
Authentication (verify identity) + Authorization (assign policy) + Accounting (log) |
| Attributes |
RADIUS attributes carry policy info (VLAN, ACL, SGT, session timeout) |
| VLAN Assignment |
RADIUS returns VLAN ID → switch places port ใน assigned VLAN |
| dACL |
Downloadable ACL — RADIUS pushes ACL to switch (per-user filtering) |
| CoA (Change of Authorization) |
RADIUS server push policy changes to switch (e.g., after posture check) |
Posture Assessment
| Check |
ตรวจอะไร |
Action if Fail |
| Antivirus |
AV installed + running + definitions updated |
Quarantine VLAN + redirect to remediation portal |
| OS Patches |
OS up-to-date (latest patches installed) |
Limited access + prompt to update |
| Firewall |
Host firewall enabled |
Restrict access |
| Disk Encryption |
Full disk encryption enabled (BitLocker, FileVault) |
Deny access to sensitive resources |
| Domain Joined |
Device joined to corporate AD domain |
Guest VLAN if not domain-joined |
| USB Storage |
USB mass storage disabled |
Flag for compliance review |
NAC Authorization Results
| Result |
Action |
ตัวอย่าง |
| Full Access |
Place in corporate VLAN + full ACL |
Corporate laptop, 802.1X + posture pass |
| Limited Access |
Place in restricted VLAN + limited ACL |
BYOD device, authenticated but no agent |
| Guest Access |
Place in guest VLAN (internet only) |
Guest user, web portal authentication |
| Quarantine |
Place in quarantine VLAN + remediation portal |
Failed posture check (no AV, outdated OS) |
| Deny |
Block all access |
Unknown device, failed authentication |
NAC Platforms
| Platform |
Vendor |
จุดเด่น |
| Cisco ISE |
Cisco |
Market leader, TrustSec/SGT, pxGrid, extensive integrations |
| Aruba ClearPass |
HPE Aruba |
Multi-vendor, flexible policies, strong BYOD |
| Forescout |
Forescout |
Agentless, device visibility, OT/IoT focus |
| Portnox |
Portnox |
Cloud-native NAC, easy deployment |
| FreeRADIUS |
Open Source |
Free, flexible, widely deployed |
| PacketFence |
Open Source |
Open source NAC with portal + VLAN management |
Deployment Best Practices
| Practice |
รายละเอียด |
| Start with Monitor Mode |
Enable 802.1X ใน monitor mode ก่อน (log only, don’t block) |
| Low-impact Mode |
ใช้ low-impact mode: open port + apply dACL (instead of full block) |
| MAB Fallback |
Config MAB สำหรับ devices ที่ไม่ support 802.1X (printers, IoT) |
| Guest Portal |
Setup web portal สำหรับ guest access (self-registration) |
| Phased Rollout |
Pilot group → department → entire org (ทีละ phase) |
| Profile devices |
ใช้ profiling ระบุ device type (CDP/LLDP, DHCP fingerprint, HTTP UA) |
| Certificate auth |
ใช้ EAP-TLS (certificate) สำหรับ corporate devices (stronger than password) |
ทิ้งท้าย: NAC = Control Who and What Connects
NAC 802.1X: port-based auth (supplicant → authenticator → RADIUS server) EAP methods: EAP-TLS (strongest, cert), PEAP (common, password), MAB (fallback) RADIUS: AAA server → return VLAN, ACL, SGT per user/device Posture: check AV, patches, firewall, encryption → quarantine if fail Results: full access, limited, guest, quarantine, deny Platforms: Cisco ISE, Aruba ClearPass, Forescout, FreeRADIUS Deploy: monitor mode first → low-impact → phased rollout
อ่านเพิ่มเติมเกี่ยวกับ Zero Trust Microsegmentation ZTNA และ DNS Security DNSSEC DoH ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
