802.1x and NAC
802.1x can use information including the machine name, client-side digital certificate, and username and password to identify and authenticate a user onto a port in the network. The authentication process can include any of the identity credentials or even a combination of these credentials. For instance, digital certificates can be used for device authentication, and username and password can be used for user authentication.
Network Admission Control (NAC) is also a form of authentication and can be considered a superset of the authentication of 802.1x. NAC can use 802.1x as a base for identity authentication. NAC then extends the authentication process to check the security posture or other posture credentials to ensure that the device has the latest operating system (OS) service pack (SP), hot-fix, and antivirus updates. The additional security checks that are performed by NAC are often referred to as a security posture or posture credential check of the endpoint or device.
NAC also offers the ability to quarantine a machine for remediation. Remediation involves the process of allowing the machine to join a quarantined part of the network, such as a specific VLAN or quarantine VLAN. NAC can also enable the display of instructions of how to download the required OS SP and antivirus updates to join the network safely and be removed from the guest or quarantine VLAN. Chapter 6, "Implementing Network Admission Control," provides a detailed overview of the NAC framework that is implemented with routers, switches, and Cisco ACS. The integration between 802.1x and NAC enables the identity and posture credential check to occur in a single 802.1x transaction. NAC can use 802.1x as a base for identify authentication, but then extend the authentication process to include other posture credentials such as OS patches and antivirus updates.