See every device
Profile and classify every endpoint, including guests, contractors, and unmanaged IoT, medical, and OT devices, in one inventory.
Security · Network access control
Network Access Control (NAC): What It Is and How Cisco Delivers It
Network Access Control (NAC) decides who and what is allowed on your network, authenticates every user and device, checks their security posture, and enforces policy, so insecure or unknown endpoints never reach your data. Cisco delivers NAC primarily through Identity Services Engine (ISE), and Uniqcli scopes, sources, and deploys it.
Authorized Cisco PartnerTAA compliantDoDIN APL-readyGPC acceptedShips from US warehouses
Sized from real inputs
Access-point, port, and rack counts are derived from your facility, not guesswork or a generic template.
Validated Cisco BOM
We confirm the exact SKUs, licensing tier and term, services, and availability before you sign.
Procurement-ready
TAA compliant posture, contract vehicle, and CLIN structure so the quote clears your buyer the first time.
Visibility, authentication, enforcement.
Enough detail for IT, procurement, and facilities to move together, then we validate the final BOM.
Authenticate before access
802.1X and MAC Authentication Bypass verify users and devices over RADIUS before a port ever forwards traffic.
Check posture & comply
Confirm patch level, antivirus, and encryption, then deny, quarantine, or grant restricted access to noncompliant devices.
Enforce & contain
Segment with Security Group Tags and automatically quarantine compromised endpoints to stop lateral movement.
At a glance
Wired, wireless, VPN, 5G
What it controls
Identity Services Engine (ISE)
Cisco delivery
802.1X + MAB
Authentication
Identity + device pillars
Zero trust
How Cisco does NAC
ISE is the brain behind Cisco network access control.
Cisco delivers NAC through Identity Services Engine working alongside Catalyst and Meraki as enforcement points, TrustSec for segmentation, and Duo for device trust, the bedrock for a zero-trust network.
Built on Cisco ISE
ISE is the policy decision point that authenticates, profiles, and authorizes every endpoint and shares context across the stack.
Learn more
Zero-trust segmentation
TrustSec Security Group Tags isolate IoT, OT, and noncompliant devices so a breach cannot spread sideways.
Learn more
Feeds Cisco XDR
Access decisions and identity context flow into Cisco XDR for correlated detection and automated response.
Learn moreHow it works
How Cisco network access control works
NAC controls who and what connects, then enforces policy at the port. Cisco delivers it with ISE as the policy decision point and Catalyst/Meraki as enforcement.
NAC architecture
Visibility, authentication, posture, and enforcement: every device is identified and authorized before it reaches the network.
Zero-trust enforcement
Security Group Tags isolate risky, unknown, and noncompliant devices so a breach cannot move laterally.
NAC use cases Uniqcli scopes.
Build a quote ›
Guest & contractor access
Self-service and sponsored portals give visitors network access with privileges separate from employees, managed end to end.
BYOD onboarding
Employees self-enroll personal devices with certificate provisioning, with compliance enforced before any device connects.
IoT & OT segmentation
Profile unmanaged IoT/OT endpoints and isolate them with Security Group Tags so they cannot become an entry point.
Healthcare & medical devices
Identify and protect connected medical devices on a converged clinical network for ransomware resilience and zero trust.
Automated threat containment
Share identity context with the security stack and quarantine or shut down compromised endpoints automatically.
Federal zero trust
Map NAC to the identity and device pillars of the CISA Zero Trust Maturity Model with TAA-compliant sourcing.
Licensing (via Cisco ISE)
NAC license tiers
Cisco NAC is licensed through Cisco ISE, using three nested endpoint-count tiers plus a separate device-admin license.
Essentials
Core NAC and AAA
- 802.1X / RADIUS authentication (AAA)
- Guest access: hotspot, self-registration, sponsored
- Easy Connect / PassiveID
- Base endpoint visibility
Advantage
Segmentation, profiling, BYOD
- Everything in Essentials
- Endpoint profiling and AI Endpoint Analytics
- TrustSec / Security Group Tag segmentation
- BYOD onboarding and pxGrid context sharing
- Rapid Threat Containment (ANC)
Premier
Posture, MDM, Threat-Centric NAC
- Everything in Advantage
- Posture visibility and enforcement
- MDM/EMM integration (Intune, Jamf)
- Threat-Centric NAC (CVSS-based)
Device Admin
TACACS+ device administration
- Command-level control of network devices
- Full configuration audit trail
Perpetual, licensed per deployment, separate from the endpoint tiers.
A separate, perpetual Device Administration (TACACS+) license is required for network-device administration. Cisco does not publish flat list pricing; Uniqcli quotes the exact tier mix and endpoint counts.
Agent vs agentless
How NAC handles each device type
NAC covers managed and unmanaged devices through different methods. ISE picks the right one per device class.
| Device type | Method | ISE capability |
|---|---|---|
| Managed laptops and desktops | 802.1X with agent (deep posture) | EAP-TLS / TEAP plus Secure Client posture |
| Printers, cameras, IoT | Agentless (MAB + profiling) | MAC Authentication Bypass + AI profiling |
| Guests and contractors | Web authentication portal | Self-service and sponsored guest portals |
| BYOD | Self-service onboarding | Certificate provisioning, SAML 2.0 |
| OT and medical devices | Agentless visibility | Cyber Vision / IND context via pxGrid + SGT |
Services included with every security · network access control quote.
See the full services catalog ›Design & assessment
Architecture, readiness review, and right-sized BOMs from real facility inputs, not a generic template.
RF & site survey
On-site survey for SCIF, multi-floor, outdoor, and datacenter risk before install, so the count holds at turn-up.
Procurement & TAA
TAA compliant sourcing, contract vehicle, CLIN structure, and a procurement-ready package that clears review.
Staging & configuration
Pre-staging, golden configs, labeling, and validation in our lab before anything ships to the site.
Cabling, install & cutover
Structured cabling, rack-and-stack, optics, and a low-risk cutover with full documentation and handoff.
Managed operations & support
Monitoring, firmware lifecycle, change windows, Smartnet, and quarterly health reviews after turn-up.
Software & assurance
Simplified operations, powered by AgenticOps: automate, defend, and see the whole network end to end.
Network software
Software to automate, monitor, and secure your network, with cloud-managed dashboards and policy from a single pane.
Explore software
Network security
Comprehensive security to protect the network from evolving threats: firewall, identity, segmentation, and SASE.
Explore network security
End-to-end visibility
Assure every digital experience across owned and unowned networks, from client to cloud, with proactive insight.
Explore assuranceBuilt for federal & public-sector delivery.
See the compliance path ›19h
Average inquiry to TAA compliant Cisco BOM in the buyer's inbox.
±15%
First-pass estimate accuracy versus the validated post-survey BOM.
30d
From approved purchase order to live, supported Cisco network.
From scope to operating network.
Packaged as a Cisco services motion: assess, design, price, deploy, and operate with one validated quote path.
Use cases
Confirm users, sites, compliance needs, support term, and the business reason for the refresh.
Cisco stack
Map the right Catalyst, Nexus, controller, security, and licensing components to the scope.
Service package
Staging, cabling, cutover, validation, documentation, and managed handoff.
Quote package
Generate a planning estimate, then we validate the final Cisco quote.
Knowledge base
Network access control, explained in depth
A plain-English reference on NAC and how Cisco implements it.
What network access control is
Network Access Control (NAC) is the set of policies and technology that controls who and what can connect to a network. It provides visibility into every user and device, authenticates them, checks their security posture, and enforces access based on policy. A NAC system can deny access to noncompliant devices, quarantine them, or grant only restricted access.
The NAC process: visibility, authentication, posture, enforcement
- Visibility: discover and profile every endpoint, including unmanaged IoT and OT
- Authentication: verify users and devices with 802.1X or MAB over RADIUS
- Posture: confirm patch level, antivirus, and encryption before access
- Enforcement: assign VLANs, downloadable ACLs, or Security Group Tags, and quarantine when needed
802.1X and MAC Authentication Bypass
802.1X is the IEEE standard for port-based access control: a device authenticates before the port forwards traffic. Cisco ISE acts as the RADIUS server, supporting EAP-TLS and TEAP and integrating with Active Directory and Microsoft Entra ID. For devices that cannot run a supplicant, MAC Authentication Bypass (MAB) combined with profiling provides controlled access.
NAC and zero trust
NAC is the identity and device foundation of zero trust. As the policy decision point, ISE authenticates users and devices, enforces least-privilege access through micro and macro segmentation, and contains threats automatically. This maps directly to the network and device pillars of the CISA Zero Trust Maturity Model, which is why federal, DoD, and SLED programs treat NAC as a baseline control.
Frequently asked questions
Common security · network access control questions, answered by the Uniqcli Team.
What is Network Access Control (NAC)?
NAC is the practice of controlling who and what connects to your network by combining visibility, authentication, posture/compliance checks, and policy enforcement. A NAC system can deny access to noncompliant devices, quarantine them, or grant only restricted access so insecure endpoints cannot infect the network. Uniqcli, an authorized Cisco partner, scopes and quotes NAC built on Cisco ISE to match your environment.
How does Cisco deliver NAC?
Cisco delivers NAC primarily through Cisco Identity Services Engine (ISE). ISE works alongside Cisco Catalyst and Meraki network infrastructure as 802.1X enforcement points, Cisco TrustSec for segmentation, and Cisco Duo for MFA and device trust. Uniqcli designs the full stack so the pieces work together.
What is 802.1X and does ISE require it?
802.1X is the IEEE standard for port-based network access control that authenticates a device before it gets network access, typically over RADIUS. ISE is a RADIUS server that enforces 802.1X with methods like EAP-TLS and TEAP and integrates with directories such as Active Directory and Microsoft Entra ID. ISE can also use MAB (MAC Authentication Bypass) for devices that cannot do 802.1X. Uniqcli helps phase 802.1X into existing networks with minimal disruption.
Agent vs agentless: does ISE need software on every device?
Both models are supported. Posture assessment for managed endpoints can use an agent for deep compliance checks, while profiling, MAB, and IoT/OT visibility work agentlessly by observing device attributes and ingesting context from tools like Cisco Industrial Network Director and Cyber Vision via pxGrid. Uniqcli recommends the right mix per device class during scoping.
What are the Cisco ISE license tiers for NAC?
ISE uses three nested subscription tiers: Essentials (core NAC, 802.1X, guest), Advantage (profiling, BYOD, TrustSec segmentation, context sharing), and Premier (posture, MDM, and Threat-Centric NAC), plus a separate Device Administration (TACACS+) license for network device administration. Each higher tier includes all lower-tier features. Uniqcli quotes the exact tier and quantity mix for your endpoint count.
How does ISE handle guest and BYOD access?
ISE provides customizable self-service portals (including SAML 2.0) for guest registration, authentication, and sponsoring, keeping visitor access separate from employee access. The same portals let employees onboard and manage their own BYOD devices, which reduces help-desk tickets. Uniqcli configures portals and policy to match your brand and security requirements.
How does ISE support IoT and OT security?
ISE profiles and classifies IoT/OT endpoints, then applies segmentation policies using Security Group Tags so unknown or risky devices are isolated and cannot move laterally. It ingests OT context from Cisco Industrial Network Director and Cyber Vision over pxGrid. This is widely used in manufacturing, healthcare, and critical infrastructure. Uniqcli scopes segmentation designs around your device inventory.
How does NAC enable zero trust?
NAC is the identity and device foundation of zero trust. ISE, as the policy decision point, authenticates users and devices, enforces least-privilege access through micro and macro segmentation, and automatically contains threats. Its participation in Cisco Common Policy lets identity context be shared across campus, data center, and multicloud. Uniqcli maps NAC deployments to recognized frameworks such as the CISA Zero Trust Maturity Model.
Can Cisco NAC run in the cloud?
Yes. ISE deploys as a physical appliance or virtual appliance on VMware, KVM, Hyper-V, Nutanix AHV, and Red Hat OpenShift, and in public cloud on AWS, Microsoft Azure, and Google Cloud (AWS and Azure also via their marketplaces). Uniqcli helps choose on-prem, virtual, or hybrid based on scale, redundancy, and compliance needs.
Is Cisco NAC suitable for government and regulated environments?
Yes. Cisco ISE aligns with Common Criteria (NDcPP), pursues DoDIN APL certification, undergoes FIPS 140 review, supports USGv6/IPv6 Ready certification, and allows administrator CAC/smart-card authentication. Note that ISE itself is not a FedRAMP-authorized cloud service. As an authorized Cisco partner, Uniqcli sources through TAA-compliant, GPC-eligible channels and scopes to your agency's requirements.
