← Concepts
Security OperationsSY0-701 · Task 4.5

Network access control (NAC) — SY0-701

Understand Network Access Control (NAC) for CompTIA Security+ SY0-701: what it is, how it works, and the exam traps around credentials vs. device health checks.

WHAT IT IS

Network access control (NAC) is "a feature provided by some firewalls that allows access based on a user's credentials and the results of health checks performed on the telework client device." (NIST SP 800-41 Rev. 1)

In plain terms: NAC is a mechanism that evaluates both who is connecting (identity) and what is connecting (device state) before granting a network access request. Access control itself is "the process of granting or denying specific requests for obtaining and using information and related information processing services." (NIST SP 800-53 Rev. 5)

Mental model

Think of NAC as a two-key lock on the network door. One key is your credential — an object that "authoritatively binds an identity ... to at least one authenticator that is possessed and controlled by a subscriber" (NIST SP 800-63-4). The other key is the health check result from the device itself. Both keys must turn before the door opens. Neither alone is sufficient.

When to use it

NAC appears in scenarios where the security concern is not just who is asking for access, but whether the asking device meets policy. The table below shows where NAC sits relative to adjacent controls:

ControlPrimary question answeredActs on
NACIs this device healthy AND is this user credentialed?Endpoint + identity together
Firewall ruleDoes this traffic match a permitted flow?Packets / ports / protocols
Web filteringIs this destination URL/category permitted?Outbound web requests
DNS filteringDoes this domain resolve to a permitted address?DNS query responses

Use NAC when the policy goal is to prevent non-compliant endpoints — devices that fail health checks — from reaching the network at all, before any traffic-level decision is made.

COMMON MISCONCEPTION

The exam exploits the tendency to treat NAC as purely an authentication mechanism. Authentication is "verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources" (FIPS 200). NAC does perform that credential check — but the NIST definition explicitly adds a second gate: health checks on the client device. Candidates who define NAC as only credential-checking miss the device-state half of the mechanism and will mis-identify scenarios where the device's compliance posture is the deciding factor.

A second misconception is conflating NAC with a firewall. A firewall "controls the flow of network traffic between networks or hosts that employ differing security postures" (NIST SP 800-41 Rev. 1) — it acts on traffic flows. NAC acts upstream of traffic flow, at the moment of network admission, using device health results to decide whether a device is admitted at all.

How it shows up on the exam

The cognitive target is analysis: given a scenario, identify which control addresses both identity and device compliance simultaneously.

Signal phrases to watch for in questions:

  • "only allow devices that meet patch level / antivirus requirements" — points toward NAC's health-check gate
  • "telework client" or "remote device" — the NIST definition specifically grounds NAC in the telework context
  • "credentials alone are not sufficient" — signals that device state must also be evaluated, which is NAC's distinguishing function

Candidates often confuse NAC with pure authentication solutions (which verify identity but do not assess device health) or with firewall rules (which filter traffic but do not perform credential or health-check evaluation at admission). When a question combines both identity verification and endpoint compliance as requirements for network entry, that combination is the signature of NAC.

How it works (admission sequence)

Both gates — credential verification and device health check — must pass for network admission. Failure at either gate denies access.

Related concepts

  • Firewall rules — traffic-level control that acts after network admission; NAC and firewall rules are complementary, not interchangeable
  • Web filtering — controls outbound web destinations; operates on permitted traffic, not on admission decisions
  • DNS filtering — controls domain resolution; operates on DNS queries, not on endpoint health or identity

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.