How to Implement Post-Admission NAC for Continuous Trust Monitoring

This guide provides an authoritative technical blueprint for implementing Post-Admission Network Access Control (NAC) with Continuous Trust Monitoring across enterprise venues including hospitality, retail, healthcare, and public-sector environments. It details the architectural shift from static pre-admission checks to dynamic, session-aware enforcement using RADIUS CoA, behavioural baselining, and telemetry integration. IT architects and network operations teams will find actionable deployment guidance, real-world case studies, compliance alignment notes, and measurable ROI frameworks.

📖 8 min read📝 1,882 words🔧 2 worked examples❓ 4 practice questions📚 9 key definitions

Listen to this guide

View podcast transcript

Welcome to the Purple Enterprise Architecture Briefing. I'm your host, and today we're tackling a critical shift in network security: moving from static authentication to Continuous Trust Monitoring using Post-Admission NAC. Joining me is our Senior Solutions Architect. Thanks for being here.

Pleasure to be here. This is a topic that's coming up in almost every enterprise design discussion right now.

Let's set the context. For years, we've relied on 802.1X and captive portals to secure the edge. Why is that no longer enough for environments like large retail chains or hospitality venues?

It comes down to the trust model. Traditional NAC — what we call Pre-Admission NAC — is like a bouncer at a club. They check your ID at the door, and if you're on the list, you're in. But once you're inside, the bouncer isn't watching what you do. In a network context, a device might authenticate perfectly cleanly. But what if, ten minutes later, that device downloads a malicious payload and starts scanning the internal point-of-sale subnet? Pre-Admission NAC has already done its job and stepped away. Post-Admission NAC is the security guard walking the floor. It continuously monitors the session and can intervene dynamically.

So we're talking about real-time behavioural analysis. How does that actually work under the hood?

Exactly. It requires two main components: telemetry ingestion and a dynamic policy engine. First, we need visibility. The Network Access Devices — the wireless LAN controllers, the switches — need to stream telemetry back to the NAC engine. We're talking NetFlow, IPFIX, RADIUS accounting data. The NAC engine uses this to establish a behavioural baseline. What does normal traffic look like for a guest device at a hotel? What does normal look like for a medical infusion pump? Once you have that baseline, deviations become detectable.

And when an anomaly is detected?

That's where the enforcement comes in, typically using RADIUS Change of Authorization, or CoA. If a guest device suddenly starts generating massive volumes of SMB traffic — the kind of traffic you'd see from a ransomware infection — the NAC engine detects the anomaly and fires a CoA request to the wireless controller. The controller can then bounce the client, drop them into a quarantine VLAN, or apply a restrictive access control list — all mid-session, without any manual intervention from your network team.

That sounds powerful, but also potentially disruptive if not implemented correctly. What are the common pitfalls you see in the field?

The biggest pitfall is turning on active enforcement too quickly. You have to follow a phased approach. Phase one is always Monitor Only. You need to let the system ingest telemetry and build accurate baselines. If you jump straight to enforcement, you will generate false positives, and in a hospitality or public venue setting, disconnecting legitimate users is an operational nightmare. I always tell clients: Monitor, Measure, Mitigate. That's the framework.

The Monitor, Measure, Mitigate framework. Let's unpack that.

Sure. Monitor means deploying in passive mode — all telemetry flowing in, no enforcement actions. Measure means reviewing the data, adjusting thresholds, and stress-testing your policies against known-good traffic. Mitigate is when you enable active enforcement, starting with a graduated response — perhaps a restrictive ACL before a full disconnect — and then escalating from there. Skipping directly to Mitigate is the single most common mistake I see.

What's the second major pitfall?

CoA failures. Change of Authorization relies on UDP port 3799. Often, firewalls between the central NAC engine and the branch routers block this traffic, or the RADIUS shared secrets are mismatched. If CoA fails, you don't have Post-Admission NAC; you just have a very expensive alerting system. Your logs will show the anomaly, but nothing will happen on the network. Always validate CoA in a lab environment before production rollout.

Let's talk about IoT. How does this apply to environments heavy on headless devices, like healthcare?

It's arguably even more critical there. Many medical IoT devices can't support 802.1X, so they rely on MAC Authentication Bypass, or MAB. MAB is incredibly vulnerable to MAC spoofing — an attacker can clone the MAC address of a trusted device and gain access to the clinical network. Post-Admission NAC mitigates this by profiling the device's behaviour. An infusion pump has a very predictable traffic pattern — it communicates with a specific internal server on a specific port, at regular intervals. If a device authenticates with the pump's MAC address but starts running port scans or communicating with external IP addresses, the continuous monitoring catches it instantly and quarantines the switch port.

That's a compelling use case. What about large public venues — stadiums, conference centres?

High-density environments are a perfect fit for this approach, but they come with their own challenges. You're dealing with thousands of concurrent sessions, all generating telemetry. Your NAC policy engine and your logging infrastructure need to be scaled to handle that ingest rate. We typically recommend a distributed architecture — local telemetry collectors at each venue feeding into a centralised policy engine — rather than trying to backhaul all raw telemetry across a WAN link. The Purple WiFi Analytics platform integrates well here, providing session-level context that enriches the NAC engine's decision-making.

Let's do a rapid-fire Q&A based on common client questions. First: Does Post-Admission NAC replace my firewall?

No. It complements it. Firewalls protect the perimeter and the boundaries between network segments. NAC protects the access edge and prevents lateral movement within the same segment. You need both.

Second: Can this integrate with our existing SIEM?

Absolutely, and it should. The NAC engine should be sending events to your SIEM for correlation. A quarantine event on the network combined with a corresponding alert in your endpoint detection system is a much stronger signal than either in isolation.

Third: What's the immediate ROI for a CTO?

Drastically reduced Mean Time to Respond. You're automating the quarantine of compromised devices from hours — or days — down to milliseconds. That protects your brand, reduces the operational burden on your network team, and provides the audit trail your compliance team needs for PCI DSS and GDPR.

Excellent. To wrap up: the key takeaways from today's briefing. Post-Admission NAC shifts your security model from a static entry check to continuous, dynamic trust evaluation. The enforcement mechanism is RADIUS Change of Authorisation — get that working reliably before anything else. Always deploy in phases: Monitor, Measure, Mitigate. Behavioural baselining is your foundation — invest the time to get it right. And finally, this approach aligns directly with Zero Trust architecture principles, which is where every enterprise network is heading.

Thanks for the insights, and thank you all for listening to the Purple Enterprise Architecture Briefing. If you'd like to explore how Purple's platform can support your Post-Admission NAC deployment, visit purple dot ai to speak with our solutions team.

Key Takeaways

✓Post-Admission NAC shifts security from a static entry check to continuous, session-aware trust evaluation — addressing threats that emerge after a device has been granted access.
✓RADIUS Change of Authorization (CoA) on UDP port 3799 is the enforcement mechanism that makes mid-session quarantine possible; validate it before any production rollout.
✓Always deploy in three phases: Monitor (passive telemetry), Measure (baseline validation and policy testing), and Mitigate (graduated active enforcement) — skipping phases is the leading cause of deployment failure.
✓Behavioural baselining must cover a full business cycle of at least four weeks to avoid excessive false positives from legitimate traffic variation.
✓MAC Authentication Bypass (MAB) is inherently vulnerable to spoofing; Post-Admission NAC with device profiling is essential for any environment relying on MAB for IoT access.
✓Micro-segmentation is a complementary control that limits blast radius if CoA enforcement is delayed — deploy both for defence in depth.
✓Automated continuous monitoring directly supports PCI DSS v4.0 Requirement 10 and GDPR Article 32, reducing compliance audit burden and providing a documented, automated response audit trail.

執行摘要

對於高密度環境（旅宿、零售、體育場館和公共部門場域）中的企業網路而言，傳統的准入前網路存取控制（Network Access Control）已不再足夠。靜態、特定時間點的驗證檢查，無法因應在獲得網路存取權限後遭受入侵或表現出惡意行為的裝置。裝置可能在通過 802.1X 策略引擎的乾淨驗證後，在數分鐘後開始掃描內部子網路或外洩資料。

准入後 NAC 將安全範式從「驗證並信任」轉變為持續信任監控。透過針對已建立的行為基準，持續評估裝置狀態、流量模式和工作階段上下文，IT 與網路營運團隊可以使用 RADIUS 授權變更（CoA）在工作階段期間動態執行策略。本指南提供了一個實用且不綁定特定廠商的准入後 NAC 實作藍圖。內容涵蓋架構考量、與 Guest WiFi 和 WiFi Analytics 平台的整合，以及在不影響使用者體驗的情況下降低風險的可行部署策略。

技術深度解析

從准入前到准入後的轉變

傳統 NAC 依賴 IEEE 802.1X、MAC 驗證繞過（MAB）或 Captive Portal，在授予存取權限之前驗證身分和狀態。一旦准入，裝置通常在工作階段期間可以暢行無阻地存取其分配的 VLAN 或微細分。這種模式有一個根本性的缺陷：它將准入視為一個二元的、一次性的事件。然而，威脅情勢並非以此方式運作。

准入後 NAC 引入了動態策略引擎，可持續監控作用中的工作階段。如果裝置開始掃描內部子網路、產生異常流量，或嘗試與已知的命令與控制（C2）伺服器進行通訊，NAC 解決方案會動態更改該裝置的網路權限。這是透過 RADIUS（RFC 5176）的授權變更（CoA）請求、與無線區域網路控制器（WLC）的 API 整合，或與 SD-WAN 架構直接整合來實現的——此主題在 SD WAN vs MPLS: The 2026 Enterprise Network Guide 中有深入探討。

持續信任監控架構的核心元件

生產級的准入後 NAC 部署需要四個整合元件協同運作。

遙測數據攝取 (Telemetry Ingestion) 是基礎。系統必須從 WLC、交換器、防火牆和端點偵測與回應 (EDR) 代理程式中攝取即時數據。這包括 NetFlow/IPFIX 數據、RADIUS 計費記錄、DNS 請求記錄，以及來自深度封包檢測 (DPI) 引擎的應用程式可視性指標。若沒有全面的遙測數據，策略引擎就如同盲目運作。

行為分析引擎 (Behavioural Analytics Engine) 處理遙測數據流，並將其與已建立的基準進行比較。機器學習模型越來越常用於自動化基準建構和異常評分，從而減輕手動設定的負擔。如需深入瞭解 AI 如何改變此領域，請參閱 The Future of Wi-Fi Security: AI-Driven NAC and Threat Detection 及其西班牙語對應版本 El Futuro de la Seguridad Wi-Fi: NAC Impulsado por IA y Detección de Amenazas 。

動態策略執行 (Dynamic Policy Enforcement) 是運作輸出。即時發送 RADIUS CoA 以重啟連接埠、變更 VLAN 分配或套用限制性存取控制清單 (ACL) 的能力，是准入後 NAC 與被動監控系統的區別所在。沒有可靠的 CoA，您擁有的只是警報系統，而非執行系統。

整合層 (Integration Layer) 將 NAC 引擎連接到更廣泛的安全生態系統：用於事件關聯的 SIEM 平台、用於已知惡意 IP 豐富化的威脅情資來源，以及用於使用者上下文豐富化的身分識別提供者。在面向訪客的環境中， WiFi Analytics 平台提供了會話級別的上下文，顯著豐富了策略決策。

標準與協定參考

標準	與准入後 NAC 的關聯性
IEEE 802.1X	基於連接埠驗證的基礎；提供 NAC 策略參考的身分綁定
RFC 5176 (RADIUS CoA)	會話中策略執行的協定機制
WPA3-Enterprise	為 802.1X 驗證交換提供更強的加密保護
PCI DSS v4.0	要求對網路存取進行持續監控並具備自動回應能力
GDPR Article 32	授權採取適當的技術措施以確保持續的機密性與完整性
NIST SP 800-207	准入後 NAC 直接實作的零信任架構 (Zero Trust Architecture) 框架

實作指南

部署准入後 NAC 需要採取分階段的方法，以避免大規模的網路中斷。試圖立即啟用主動執行，是部署失敗最常見的單一原因。

第一階段：可視性與基準建立（第 1-4 週）

在僅監控模式下部署 NAC 解決方案。在此階段不應設定任何強制執行動作。

首先，確保所有網路存取裝置（NAD）都將 RADIUS 計費數據和流量遙測發送到 NAC 策略引擎。在所有託管交換器和 WLC 上設定 NetFlow 或 IPFIX 匯出。在繼續之前，驗證 NAC 引擎是否正確接收並解析記錄。

讓系統觀察不同裝置設定檔的流量模式。這在醫療保健環境中尤為關鍵，因為醫療物聯網裝置具有高度可預測的流量模式；在零售環境中也是如此，因為銷售點（POS）終端機具有明確定義的通訊需求。基準奠定期間應至少涵蓋一個完整的業務週期（通常為四週），以擷取週末與工作日的差異。

第二階段：策略開發與測試（第 5-6 週）

建立基準後，開發基於風險的策略。根據業務風險而非純粹的技術指標來定義明確的隔離觸發條件。

對於零售環境，關鍵觸發條件可能是：任何來自 Guest VLAN 試圖路由到 POS VLAN 子網路的流量。對於旅宿環境，可能是：任何裝置每分鐘產生超過 500 次 SMB 連線嘗試。對於醫療保健環境：任何透過 MAB 驗證的裝置與其核准目的地清單之外的外部 IP 位址進行通訊。

透過模擬觸發條件，在實驗室環境中測試每項策略。驗證 NAC 引擎是否正確識別異常、產生 CoA 請求，以及 NAD 是否在可接受的時間窗口內（對於關鍵觸發條件，通常在 500 毫秒以內）套用新策略。

第三階段：分階段強制執行部署（第 7-10 週）

首先在低風險的網路區段上啟用主動強制執行。僅限員工使用的物聯網 VLAN 通常是一個很好的起點，因為與訪客或臨床網路相比，誤判對營運的影響有限。

從分階段的強制執行回應開始。與其立即斷開裝置連線，不如套用限制性的 ACL，允許基本的網際網路存取（至核准目的地的 HTTP/HTTPS），但封鎖所有內部路由。這可以減少誤判的影響，同時仍能遏制威脅。每日監控隔離佇列並根據需要調整閾值。

逐步將強制執行擴展到其他區段，並在繼續之前驗證每個區段。確保 RADIUS CoA 運作可靠 — NAC 引擎與所有 NAD 之間的 UDP 連接埠 3799 必須開啟，且共用金鑰必須一致。在交通運輸樞紐部署中，網路區段可能跨越多個實體位置，請驗證跨 WAN 連結的 CoA 回應時間。

第四階段：全面上線與持續最佳化

一旦所有區段都處於主動強制執行狀態，請建立持續優化的步調。每週審查隔離事件，識別重複發生的誤報，並相應地調整基準。將 NAC 事件串流與您的 SIEM 整合，以便與端點和周邊安全事件進行交叉關聯。

對於 Hospitality 部署，請考慮季節性的基準調整 —— 處於夏季旺季的飯店網路，其流量模式與 1 月份的同一網路會有實質上的不同。如果不進行更新，靜態基準在尖峰期間會產生較多的誤報。

最佳實踐

盡可能標準化採用 802.1X。 雖然 MAB 對於無周邊的 IoT 裝置是必要的，但 802.1X 提供了更強的密碼學身分綁定。確保在支援的情況下使用 WPA3-Enterprise。瞭解底層的射頻環境至關重要 —— 請參閱 Wi Fi Frequencies: A Guide to Wi-Fi Frequencies in 2026 以確保您的頻譜設計支援持續監控的管理開銷。

利用微分割（Micro-Segmentation）作為輔助控制。 將准入後 NAC 與網路微分割相結合。如果裝置受到危害且 CoA 回應因任何原因而延遲，微分割會將受波及範圍限制在該裝置自身的區段內。這兩種控制措施是互補的，而非多餘。

將強制執行原則與合規指令對齊。 確保為稽核人員記錄您的持續監控和自動化回應程序。PCI DSS v4.0 要求 10 規定必須對存取網路資源的所有行為進行記錄和監控。GDPR 第 32 條要求採取持續的機密性和完整性措施。准入後 NAC 直接滿足這兩項要求，但前提是必須保留稽核軌跡且自動化回應程序已正式記錄成冊。

考慮使用 BLE 進行物理情境強化。 在重視物理存在性的環境中（例如會議中心或零售賣場），整合 BLE 信標數據可以豐富 NAC 原則引擎的情境資訊。與位於公共區域的同一台裝置相比，在網路上通過驗證但物理位置處於限制區域的裝置是更高風險的訊號。請參閱 BLE Low Energy Explained for Enterprise 以獲取實作指南。

疑難排解與風險緩釋

CoA 失敗

在准入後 NAC 部署中，最常見的問題是 NAD 無法處理 RADIUS CoA 請求。症狀包括：NAC 引擎記錄了成功的 CoA 傳輸，但用戶端裝置仍留在網路上且存取權限未變。請透過在 NAD 擷取 UDP 連接埠 3799 的流量來進行診斷。常見原因包括防火牆規則阻擋了 CoA 連接埠、RADIUS 共用金鑰不匹配，或 NAD 的設定中未明確啟用 CoA。在正式上線前，務必在受控的測試中驗證 CoA。

誤報與營運中斷

過度嚴苛的行為基準會導致合法的裝置被隔離。這在旅宿業環境中尤為棘手，因為賓客裝置的行為難以預測——如果基準過於狹窄，串流影音、使用 VPN 以及雲端備份操作都可能觸發異常閾值。請務必採用漸進式的執行方法，並針對經常觸發警報的已知良好裝置維持白名單流程。

規模與吞吐量

持續監控會產生大量的遙測數據。在擁有 10,000 個並行工作階段的體育場或大型會議中心，NAC 策略引擎和記錄基礎架構必須進行擴充，以處理寫入速率，避免遺失記錄。遺失的遙測數據會造成盲點。請根據尖峰並行工作階段數（而非平均值）來規劃基礎架構規模，並在收集器層實作遙測緩衝，以因應突發狀況。

廠商鎖定

某些 NAC 廠商會實作專有的 CoA 擴充功能，這些功能僅能與其自身的硬體生態系統搭配運作。在確定部署架構之前，請確保您的 NAC 策略引擎支援標準的 RFC 5176 CoA，且您的 NAD 已列在廠商測試過的相容性矩陣中。

ROI 與商業影響

實作 Post-Admission NAC 可帶來可衡量的商業價值，其影響範圍遠超安全合規性。

縮短平均回應時間 (MTTR)： 自動化隔離將 MTTR 從數小時（在沒有專職 SOC 團隊的環境中甚至需要數天）縮短至毫秒級。對於擁有 500 家分店的零售連鎖店而言，這意味著分店中受駭的裝置在觸及 POS 網路之前就會被圍堵，無論現場是否有網路工程師。

營運效率： 網路營運團隊手動追查受駭裝置的時間顯著減少。自動化隔離與詳細的稽核記錄減輕了調查負擔，並加速了事件後報告的產生。

品牌與營收保護： 在面向公眾的環境中，防止賓客裝置成為更大規模入侵的跳板，能保護場館的商譽。飯店或零售環境中的資料外洩不僅會面臨 GDPR 的法規處罰，還會帶來直接影響營收的重大商譽受損。

降低合規成本： 具有完整稽核軌跡的自動化、持續監控，可降低合規稽核的成本與工作量。向 PCI QSA 證明您的網路具備自動化、即時回應能力，實質上比提交手動流程文件要容易得多。

Key Definitions

Post-Admission NAC

The continuous monitoring and dynamic enforcement of security policies on a device after it has been granted initial network access, as opposed to pre-admission checks which occur only at the point of connection.

Crucial for identifying devices that become compromised mid-session or exhibit malicious behaviour that was not apparent during the initial authentication phase. Directly relevant to any environment with guest or unmanaged device access.

Continuous Trust Monitoring

A security model in which trust is never permanently assumed; a device's posture, behaviour, and context are continuously evaluated against established baselines throughout the duration of its network session.

The operational philosophy underpinning Post-Admission NAC, and a direct implementation of NIST SP 800-207 Zero Trust Architecture principles.

Change of Authorization (CoA)

A RADIUS extension defined in RFC 5176 that allows a policy server to dynamically modify the session authorisation attributes of an active network client, including changing VLAN assignment, applying ACLs, or terminating the session entirely.

The technical enforcement mechanism that distinguishes Post-Admission NAC from passive monitoring. If CoA is not functioning, the system cannot enforce dynamic policies mid-session.

Behavioural Baselining

The process of establishing a statistically normal pattern of network activity for a specific device type, user role, or network segment over a defined observation period.

The foundation of anomaly detection in Post-Admission NAC. Baselines that are too narrow generate false positives; baselines that are too broad miss genuine threats. Typically requires a minimum of four weeks of observation across a full business cycle.

MAC Authentication Bypass (MAB)

A network access method that grants access based solely on a device's MAC address, typically used for headless IoT devices that cannot support 802.1X EAP authentication.

Inherently vulnerable to MAC spoofing attacks. Post-Admission NAC with device profiling is essential to secure any environment that relies on MAB, particularly healthcare and industrial IoT deployments.

Network Access Device (NAD)

The physical hardware component — typically a managed switch, wireless LAN controller, or VPN gateway — that enforces access policies at the edge of the network and receives CoA instructions from the NAC policy engine.

The NAD is the enforcement point. Its compatibility with RFC 5176 CoA and the reliability of its CoA processing are critical factors in any Post-Admission NAC architecture.

Telemetry

The automated, real-time collection and transmission of network operational data — including NetFlow/IPFIX records, RADIUS accounting data, syslog events, and SNMP traps — from network devices to a centralised analytics engine.

Provides the raw data stream required for the NAC behavioural analytics engine to operate. Gaps in telemetry coverage create blind spots where compromised devices can operate undetected.

Micro-Segmentation

The network architecture practice of dividing a network into small, isolated segments with granular access controls between them, limiting the lateral movement of an attacker or compromised device.

A complementary control to Post-Admission NAC. If a CoA enforcement action is delayed, micro-segmentation limits the blast radius of a compromised device to its own segment, preventing it from reaching critical assets on adjacent segments.

RADIUS (Remote Authentication Dial-In User Service)

A networking protocol providing centralised Authentication, Authorisation, and Accounting (AAA) management for users who connect to and use a network service.

The foundational protocol for both initial admission (Access-Request/Accept) and post-admission enforcement (CoA). Most enterprise NAC deployments are built on a RADIUS infrastructure.

Worked Examples

A large retail chain deploying Guest WiFi across 500 locations needs to ensure that compromised guest devices cannot scan or reach the Point of Sale (POS) network. The IT team has limited on-site resources and needs an automated, centrally managed solution. How should they implement Post-Admission NAC?

Deploy a cloud-hosted NAC policy engine with a distributed telemetry collector at each branch, avoiding the need for on-site NAC hardware.
Configure all branch WLCs and switches to send RADIUS accounting records and NetFlow data to the central NAC engine via encrypted tunnels.
Define a four-week baselining period covering both weekday and weekend traffic patterns for the Guest VLAN.
Create a critical violation policy: if any traffic from the Guest VLAN subnet attempts to route to the POS VLAN subnet (defined by IP range), the NAC engine immediately issues a RADIUS CoA to the local WLC.
The CoA instructs the WLC to apply a 'Quarantine' ACL to the specific client MAC address, dropping all traffic except DHCP and DNS, effectively isolating the device mid-session.
Configure an automated alert to the central NOC and log the event to the SIEM for post-incident analysis.
Validate CoA functionality at 10 pilot sites before rolling out to all 500 locations.

Examiner's Commentary: This approach leverages existing infrastructure (WLCs and RADIUS) without requiring endpoint agents, which is critical in a guest network environment where device management is not possible. The use of NetFlow for continuous monitoring ensures enforcement is based on actual traffic behaviour, not just device identity. The cloud-hosted model addresses the operational constraint of limited on-site resources, while the pilot validation approach reduces deployment risk at scale.

A hospital network has thousands of headless medical IoT devices using MAC Authentication Bypass (MAB) for initial access. The security team is concerned about MAC spoofing attacks and the inability to detect compromised devices mid-session. How can Post-Admission NAC mitigate these risks?

Deploy a NAC solution with device profiling capabilities that can ingest DHCP fingerprints, HTTP user agents, and traffic flow characteristics.
During the baselining phase, build a profile for each device type: an infusion pump communicates with a specific internal server on port 443 at regular intervals; a patient monitoring system communicates with a nursing station on a specific internal subnet.
Configure violation policies based on profile deviation: if a device authenticated via MAB as an infusion pump begins communicating with any external IP address, or initiates more than 10 connections per minute to non-approved internal destinations, trigger a quarantine.
Issue a RADIUS CoA to the switch to move the port to a quarantine VLAN, isolating the device from the clinical network while preserving connectivity for investigation.
Alert the clinical engineering team and the SOC simultaneously, providing the device MAC address, switch port, and the specific traffic anomaly that triggered the response.

Examiner's Commentary: Relying solely on MAB for pre-admission is a known security vulnerability, as MAC addresses can be trivially spoofed. By layering continuous behavioural profiling on top of MAB, the hospital can detect MAC spoofing attacks in real-time — a spoofed device will almost certainly deviate from the legitimate device's established traffic profile within minutes. The graduated alert process (clinical engineering and SOC simultaneously) reflects the operational reality of healthcare environments where clinical continuity must be balanced against security response.

Practice Questions

Q1. Your network operations team reports that the new Post-Admission NAC deployment is generating a high volume of false positives, quarantining legitimate guest devices in a busy hotel lobby. The guest services team is escalating complaints. What is the most appropriate immediate action, and what longer-term remediation should you plan?

Hint: Consider the phases of deployment and the specific traffic characteristics of a hospitality guest network.

View model answer

Immediately revert the enforcement policy from Active Quarantine to Monitor Only, or apply a less restrictive graduated enforcement ACL that limits internal routing without disconnecting the device. Review the behavioural baselines specifically for the Guest VLAN — hospitality environments have inherently unpredictable guest traffic including VPN usage, streaming services, and cloud backup. Extend the baselining period and widen the anomaly thresholds before re-enabling active enforcement. Longer-term, implement seasonal baseline adjustments and consider a tiered enforcement model where guest devices receive a less aggressive response than corporate or IoT devices.

Q2. During a pilot deployment, the NAC policy engine successfully detects anomalous behaviour and logs the event with a high-confidence anomaly score, but the client device remains on the network with unchanged access. The NOC receives the alert but no quarantine action has been applied. What is the most likely technical failure, and how do you diagnose it?

Hint: Think about the specific protocol and port used for mid-session enforcement.

View model answer

The most likely failure is that RADIUS Change of Authorization (CoA) is not functioning correctly between the NAC engine and the Network Access Device. Diagnose by capturing traffic on UDP port 3799 at the NAD to confirm whether the CoA packet is arriving. If it is arriving but being rejected, check the RADIUS shared secret configuration on both the NAC engine and the NAD. If it is not arriving, check firewall rules between the NAC engine and the NAD. Also verify that CoA is explicitly enabled in the NAD's RADIUS client configuration — many devices require a separate configuration statement to accept CoA requests.

Q3. A large conference centre is planning a Post-Admission NAC deployment ahead of a major trade show with an expected 8,000 concurrent WiFi users. The IT director is concerned about the telemetry infrastructure being overwhelmed during peak load. How should the architecture be designed to handle this scale?

Hint: Consider the difference between raw telemetry volume and processed event volume, and where in the architecture aggregation should occur.

View model answer

Implement a distributed telemetry architecture with local collectors at each access layer tier. Raw NetFlow and RADIUS accounting data should be aggregated and pre-processed at the local collector before being forwarded to the central NAC policy engine. This reduces WAN bandwidth consumption and processing load on the central engine. Size the central policy engine based on processed event rate, not raw telemetry volume. Implement telemetry buffering at the collector layer to handle burst conditions during peak load. Additionally, consider applying sampling to NetFlow data (e.g., 1-in-10 packet sampling) for general traffic monitoring, reserving full-rate telemetry for high-risk device segments. Validate the architecture under simulated peak load before the event.

Q4. A retail CTO asks whether implementing Post-Admission NAC will satisfy PCI DSS v4.0 Requirement 10 and reduce the scope of their annual QSA audit. How do you advise them?

Hint: Consider what PCI DSS Requirement 10 specifically mandates and what documentation a QSA will require.

View model answer

Post-Admission NAC directly supports PCI DSS v4.0 Requirement 10 compliance by providing automated, continuous logging and monitoring of all access to network resources and cardholder data environments. The automated quarantine capability demonstrates a real-time response mechanism, which satisfies the spirit of Requirement 10.7 (responding to failures of critical security controls). However, to reduce audit scope, the CTO must ensure that: the NAC event log is tamper-evident and retained for at least 12 months; automated response procedures are formally documented; and the QSA can review evidence of the system operating in production. Scope reduction is more likely to be achieved through network segmentation (isolating the CDE) than through NAC alone, but NAC significantly strengthens the evidence package presented to the QSA.

Continue reading in this series

Staff WiFi vs. Guest WiFi: Best Practices for Corporate Network Segmentation

A comprehensive technical guide for IT leaders on segmenting staff and guest WiFi networks. It covers VLAN architecture, 802.1X authentication, firewall policies, and the business impact of secure network design.

Staff WiFi vs. Guest WiFi: Best Practices for Corporate Network Segmentation

Apartment WiFi solutions: a comprehensive guide for businesses

This guide covers the architecture, deployment, and business case for apartment WiFi solutions in Build to Rent and multi-dwelling unit properties. It explains how Identity Pre-Shared Key (iPSK) technology creates secure, isolated network bubbles for each resident while supporting smart devices and IoT. Property developers, landlords, and BTR operators will find actionable deployment guidance, ROI data, and worked implementation scenarios.