Home » Network Access Control: 802.1X, NAC, RADIUS, TACACS+, MAB, Posture Assessment และ Zero Trust Network
Network Access Control: 802.1X, NAC, RADIUS, TACACS+, MAB, Posture Assessment และ Zero Trust Network
Network Access Control: 802.1X, NAC, RADIUS, TACACS+, MAB, Posture Assessment และ Zero Trust Network
Network Access Control (NAC) ควบคุมว่าใครและอุปกรณ์อะไรสามารถเข้าถึง network ได้ 802.1X ให้ port-based authentication, NAC platforms ประเมิน device compliance ก่อนให้เข้า, RADIUS ใช้สำหรับ network access authentication, TACACS+ ใช้สำหรับ device administration, MAB รองรับ devices ที่ไม่มี 802.1X supplicant, Posture Assessment ตรวจสอบ security state ของ device และ Zero Trust Network ใช้หลัก “never trust, always verify”
องค์กรส่วนใหญ่ ยังเปิด network port ให้ทุกคนเสียบสาย LAN เข้าได้เลย: ไม่มี authentication, ไม่ตรวจ device compliance → attacker เสียบ laptop เข้า network port ก็เข้าถึง internal network ได้ทันที NAC + 802.1X แก้ปัญหานี้โดย authenticate ทุก device ก่อนให้ network access + ตรวจ posture (antivirus updated? OS patched?) + assign VLAN ตาม role
RADIUS vs TACACS+
| Feature |
RADIUS |
TACACS+ |
| Primary Use |
Network access (WiFi, VPN, wired 802.1X) |
Device administration (router/switch login) |
| Protocol |
UDP (1812/1813) |
TCP (49) |
| Encryption |
Password only (rest in clear) |
Entire packet encrypted |
| AAA |
Authentication + Authorization combined |
Authentication, Authorization, Accounting separated |
| Command Auth |
ไม่รองรับ per-command authorization |
Authorize ทุก command (e.g., allow “show” but deny “config”) |
| Multi-Vendor |
IETF standard — ทุก vendor รองรับ |
Cisco developed — mainly Cisco devices |
| Products |
Cisco ISE, FreeRADIUS, NPS, ClearPass |
Cisco ISE, TACACS+ daemon, ClearPass |
802.1X Authentication Flow
| Step |
Action |
| 1. Port Unauthorized |
Device plugs in → switch port ใน unauthorized state (only EAPoL allowed) |
| 2. EAP Identity |
Switch sends EAP-Request/Identity → supplicant responds with username |
| 3. EAP Method |
RADIUS server selects EAP method (PEAP, EAP-TLS) → exchange credentials |
| 4. RADIUS Decision |
RADIUS validates credentials → Access-Accept + attributes (VLAN, ACL, SGT) |
| 5. Port Authorized |
Switch applies VLAN/ACL from RADIUS → port transitions to authorized → traffic flows |
| 6. Re-authentication |
Periodic re-auth (e.g., every 3600 seconds) → ensure device still compliant |
MAB (MAC Authentication Bypass)
| Feature |
รายละเอียด |
| คืออะไร |
Fallback authentication สำหรับ devices ที่ไม่มี 802.1X supplicant (printers, cameras, IoT) |
| How |
Switch ส่ง device MAC address เป็น username/password ไป RADIUS → lookup in database |
| Order |
802.1X timeout (30s) → fallback to MAB → RADIUS lookup MAC → assign VLAN |
| Security |
Weak (MAC spoofable) — use ร่วมกับ profiling + posture assessment |
| Profiling |
NAC profiles device type (DHCP fingerprint, HTTP UA, CDP/LLDP) → assign policy ตาม type |
Posture Assessment
| Check |
What |
Action if Non-Compliant |
| Antivirus |
AV installed + definitions updated within X days |
Quarantine VLAN → remediation portal |
| OS Patches |
Critical patches installed (WSUS compliance) |
Redirect to WSUS → auto-update |
| Firewall |
Host firewall enabled |
Block until firewall enabled |
| Disk Encryption |
BitLocker/FileVault enabled |
Block or limited access |
| Domain Joined |
Device joined to corporate AD domain |
Guest VLAN (not corporate network) |
| Certificate |
Valid machine certificate installed |
Deny corporate access → guest only |
NAC Platforms
| Product |
Vendor |
Features |
| Cisco ISE |
Cisco |
802.1X, MAB, profiling, posture, SGT (TrustSec), pxGrid integration |
| Aruba ClearPass |
HPE/Aruba |
Multi-vendor NAC, profiling, guest, BYOD onboarding, policy engine |
| FortiNAC |
Fortinet |
Agentless visibility, IoT profiling, automated response |
| Portnox |
Portnox |
Cloud-native NAC, agentless, risk-based access |
| PacketFence |
Open Source |
Free NAC, 802.1X, VLAN assignment, captive portal |
Zero Trust Network Access (ZTNA)
| Principle |
Implementation |
| Never Trust, Always Verify |
Authenticate every access request — no implicit trust based on network location |
| Least Privilege |
Give minimum access needed — micro-segmentation, per-app access (not full network) |
| Assume Breach |
Design as if attacker is already inside — segment, monitor, detect lateral movement |
| Continuous Verification |
Re-evaluate trust continuously — device posture, user behavior, context (time, location) |
| Micro-Segmentation |
SGT (TrustSec), NSX micro-seg, identity-based firewall rules → per-user/per-app policies |
| Products |
Zscaler ZPA, Cloudflare Access, Palo Alto Prisma Access, Cisco Duo + ISE |
ทิ้งท้าย: NAC = Control Who and What Accesses Your Network
Network Access Control RADIUS: network access (WiFi, VPN, 802.1X) — UDP, password encrypted only TACACS+: device admin (router/switch) — TCP, full encryption, per-command authorization 802.1X: port-based auth → EAPoL → RADIUS → VLAN/ACL assignment → authorized MAB: fallback for non-802.1X devices (printers, IoT) — MAC as credential + profiling Posture: check AV, patches, firewall, encryption, domain → quarantine if non-compliant NAC: Cisco ISE, ClearPass, FortiNAC, Portnox, PacketFence — unified policy engine ZTNA: never trust + least privilege + assume breach + continuous verify + micro-segmentation Key: NAC is foundation of Zero Trust — authenticate every device, assess posture, assign least-privilege access
อ่านเพิ่มเติมเกี่ยวกับ Wireless Security WPA3 802.1X RADIUS และ Network Security Architecture Defense in Depth ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
