Network Access Control Service
Designed for Your Cloud

Network access control (NAC) combines software, rules, and policies to help establish access control in a restricted environment. NAC solutions can be achieved using various technologies. Some use agents that always stay active on devices, while others leverage infrastructure outside the device. SecureW2’s network security solution leverages RADIUS and PKI technology to control access and authorization of your network without requiring an agent to stay persistently active on the device. Our PKI integrates with your identity and device management infrastructure so you can be confident that only trusted users and devices are issued certificates. Since certificates can be configured to be non-exportable from the device (unlike passwords), you have high assurance of the users/devices behind every network connection. But you need a server to validate all those certificates, and our Cloud RADIUS server was designed from the ground up for certificate-based authentication. It leverages powerful identity integrations to see and apply the latest policies in your identity infrastructure to determine in real-time which devices or authorized users should be allowed in the network and how much access they should be authorized.

With the Network Access Controls options in our management portal, you can configure role-based, policy-based, and attribute-based access policies. Role-based access Control (RBAC) assigns users permissions based on the organization's designated roles. Policy-based access Control sets policies to manage user access to data and systems. Attribute-based access Control applies access policies based on very granular attributes for precise decision-making, like name, email address, geographical location, or environmental attributes. SecureW2 was designed to ingest any attribute, role, or group from your identity or device management systems. This provides a foundational platform to enable highly automated network access control. The most common policies configured in SecureW2 are for VLAN segmentation. Cloud RADIUS makes run-time-level policy decisions based on the attributes you configure in your certificates or the lookup during authentication to segregate authorized users into separate VLANs.

At a high level, you can identify with 100% accuracy the users/devices allowed on your network, enabling world-class segmentation. A Public Key Infrastructure (PKI) allows your organization to implement the security of digital certificates. Certificate templates contain in-depth context that can be used to create policies, including factors such as:

• User Attributes
• User Groups
• Device Serial Number
• User Email
• Operating System
• Whether the device is managed or unmanaged
• Issuing Certificate Authority
• Model Number
• MAC Address
• Certificate Validity

Administrators can easily create policies around specific user groups, such as segmenting different departments into their VLANs.You can also create policies that put particular types of devices into their networks, such as preventing BYODs/unmanaged devices from accessing a given network. Our unique managed PKI integrates seamlessly with your existing infrastructure to leverage the most up-to-date information. We have advanced integrations with MDMs like Intune Jamf that allow us to automatically revoke certificates when users are moved into particular smart or static groups. This ensures that only the most current access policies are consistently applied.

Password-based authentication leaves your network resources vulnerable to security risks like Man-in-the-Middle (MITM) and phishing attacks. Aside from direct attacks by hackers, your end-users may mismanage their passwords. Users often forget, reuse, and even share passwords with friends, family, and colleagues. Passwords also offer zero assurance around device trust, which is now a NIST Requirement for any organization doing research or working with federal entities. There’s also the end-user experience to consider. Managing a plethora of ideally unique and complex passwords can be frustrating. By using a passwordless form of authentication, such as digital certificates, your users no longer have to deal with the annoyance of creating new passwords or being disconnected from resources when their passwords expire. Transitioning to a passwordless network authentication secures your network through phishing-resistant digital certificates. You can set specific policies to take complete control of your network.

SecureW2’s PKI and RADIUS can integrate with your infrastructure in various ways. First, our PKI can leverage information from your Identity Provider or device management platform at the time of certificate enrollment, encoding those attributes in certificate templates. With Intune and Jamf, our PKI uses enhanced integrations, allowing for automatic certificate revocation. Cloud RADIUS integrates with all major cloud Identity Providers, but has enhanced integration with Azure AD (Entra ID), Google, Okta, and OneLogin. At the time of authentication, Cloud RADIUS can verify a user’s status in any of the aforementioned IDPs in real-time. If you haven’t had time to revoke a certificate, Cloud RADIUS’s Identity Lookup feature will deny network access if the user has been deactivated in your identity platform.

Yes, SecureW2 was designed with this specifically in mind. Security policies determine who gets access to what on an organizational network. As an existing organization, you may have set security policies on your infrastructure that can be used on SecureW2’s platform. SecureW2’s Dynamic Policy Engine integrates with existing IDPs like Google, Okta, and Azure, which helps admins implement policy decisions during authentication. Our Cloud RADIUS allows you to enforce policies with user/device lookup in real-time against IDPs to ensure secure and efficient access management.

You can seamlessly transfer security policies from your MDM to SecureW2’s Managed PKI. Our Managed PKI lets you transfer security policies from major MDMs like Jamf, Intune, and Mosyle, to name a few. Integrating with SecureW2’s Managed Gateway API lets you use SCEP, JSON, and ACME to provide digital certificates to Windows, MacOS, iOS, and Google Chromebooks. You can now set policies and send configuration profiles to your managed devices for auto-enrollment and 802.1X authentication for effective policy enforcement. With SecureW2, you can enable zero-touch issuance, renewal, and revocation of certificates. Our PKI employs advanced integrations with Intune and Jamf in particular. If you use Intune or Jamf, we can check specific groups in them every several minutes, automatically revoking certificates from devices in those groups.

Cloud RADIUS supports MAC Authentication to provide network access control for devices that do not support 802.1X authentication, like printers and IoT devices. SecureW2’s Cloud RADIUS supports MAB and MAC address filtering. It segments your devices with a dynamic access list and VLAN assignments, so your less secure IoT devices are properly segmented from trusted, managed devices. You can easily upload .csv files, including all your devices, segment them into groups, and dynamically segment them into different VLANs.

Network Admission Control or Network Access Control prevents access to a network unless specific conditions and policies are met. Users and devices must authenticate when a corporate network is configured for NAC solutions before accessing corporate networks and applications. NAC is enforced through various devices and solutions, like switches, routers, VPNs, and credential-based access. Network Admission Control denies access to unauthorized or non-compliant devices and quarantines them, thus securing network endpoints from unauthorized access, and security threats while enhancing network security.