Skip to content

Network Access Control (NAC)

Use this section when the appliance never gets usable network access — it lands in a guest/quarantine VLAN, gets no DHCP lease, or the switch port stays unauthorized. That's NAC denying the device before it can reach the firewall at all. See Connectivity Troubleshooting for the full background.

Why NAC blocks the appliance

The RTA is a headless Linux appliance. It is deliberately minimal:

  • No 802.1X supplicant — it won't perform port-based EAP authentication.
  • No domain membership, no NAC agent — so posture/compliance checks have nothing to talk to and will fail closed.

On an 802.1X-enforced port the appliance therefore falls through to whatever the NAC does with an unknown device: typically MAC Authentication Bypass (MAB) into a restricted VLAN, or an outright deny.

The fix: MAB allowlist + authorized VLAN + posture exemption

  1. Collect the appliance MAC address. Get it from the hypervisor/cloud console, the VM's NIC settings, or your DHCP server's lease table for the segment. (On Hyper-V deployments note that MAC-address spoofing is enabled on the appliance NIC for L2 work — allowlist the MAC the switch actually learns.)
  2. Create a MAB allowlist entry for that MAC in your NAC (an endpoint identity group / static host list / registered-device list).
  3. Authorize it to a VLAN with outbound internet — the segment must be able to reach connect.remotetesting.secureworks.com:443 outbound (and from there to the in-scope targets per your engagement).
  4. Exempt it from posture / compliance — no agent, no AV, no domain check. Treat it like a managed appliance, not a user endpoint.

MAB is MAC-based — protect the allowlist entry

MAB authorizes by MAC address, which is spoofable. Scope the authorization tightly (the specific port/segment for the engagement) and remove the allowlist entry when the engagement ends.

Vendor guides

  • Cisco ISE — endpoint identity group + MAB authorization policy + posture bypass.
  • Aruba ClearPass — MAC Authentication service + static host list + enforcement profile.

Other NAC platforms (FortiNAC, Forescout, etc.)

The pattern is identical everywhere: allowlist the MAC (MAB), drop it in a VLAN with egress, skip posture. Map those three steps onto your product. Ask your Sophos engagement lead if you need help with a platform not listed here.