Supplicant

Authenticator

Authentication Server

NAC Policy Engine

To block all traffic until encryption keys are exchanged

To only allow authentication traffic until the user is validated

To prevent IP address assignment from DHCP

To test the client’s posture before allowing access

IPsec

TLS

EAP

GRE

Access granted with limited privileges

Access granted with guest VLAN assignment

Authentication request ignored and connection fails

Authentication forwarded but not logged

To encrypt all user data after authentication

To prevent man-in-the-middle attacks during TLS handshake

To encrypt sensitive fields in RADIUS messages (e.g., password)

To validate Active Directory group membership

Constraints

Conditions

Settings

Attributes

Idle-Timeout

Session-Timeout

Framed-IP-Address

Vendor-Specific Attribute