NAC Explained
Network Access Control (NAC) is a method whereby unknown devices are not allowed to connect to a network before they are registered.
This adds to the stability of the network by keeping unauthorised devices separated from authorised devices.
The process looks like this in broad term:
- A device is attached to a network switch.
- The switch blocks all traffic except the EAP radius traffic which allows the device to speak to the switch.
- The switch sends the hardware MAC address of the device to the NAC server and asks if it knows the device.
- The NAC server replies with the virtual local area network (VLAN) id to place the device into, based on the answer.
- Unknown devices are put into a Registration vlan which will allow users to register and authorise the device or guests to receive internet only access.
- Known devices are placed into the vlan it is registered to. This will mostly be the default data vlan but could be Audio Visual, Guest, IoT, Legacy or any vlan configured.
- This ends the NAC interaction with the device except for a periodical re-authentication to ensure the device is still connected.
The NAC will manage wired and new wireless networks when the roll-out has been completed. It will not manage the old CSIR Wireless and CSIR Guest wifi networks.
Known Issues
Captive portal does not appear when a browser is opened
- Please ensure the proxy server is not configured and try again. You may have to restart the browser.
Windows does not connect to the network
- Some Windows devices have 802.1x authentication enabled. This clashes with CSIR NAC and will cause the device not to connect.
- Disable the 802.1x under the Network settings to enable connection.
VMWare virtual machines
- Older VMware player or workstation software have a problem connecting the guest OS network.
- Update to the latest version of software.
- Ensure the guest OS network is set to bridged and not NAT.
Small un-managed switches
- Devices connected to un-managed switches are not detected by NAC.
- This happens because the managed switch does not detect a port change.
- Connect all device to the un-manage switch, then disconnect and reconnect the power or unplug and replug the uplink cable to the managed switch.
- This should allow most devices to connect but this process will have to be followed every time a new device is connected to the un-managed switch.
- It is recommended that all devices have dedicated network points or are connected via wifi.
IP Phones reboot during device registration
- This happens due when the network port is bounced to allow stable vlan changes.
- The phone reboot only happens during the registration process which should only be once per device.