3/10/22, 7:01 PM Gartner Reprint

Licensed for Distribution

Market Guide for Network Access Control

Published 2 June 2021 - ID G00728625 - 28 min read

By John Watts, Lawrence Orans, and 1 more

NAC vendors are expanding their offerings to serve adjacent markets, but most customers rely
on them to increase the visibility of, and control over, user devices on local networks. Security
and risk management leaders must focus on implementing NAC basics, rather than adjacent
functionality.

Overview
Key Findings
■ Most organizations interested in network access control (NAC) are looking to secure users’ and
devices’ access to their network, driven primarily by audit findings or zero trust networking
strategies such as those for comprehensive device visibility and LAN device authentication.

■ NAC is a mature technology, with both commercial and open-source solutions on the market that
provide feature sets to satisfy most organizational needs.

■ NAC vendors differentiate themselves by extending their solutions into adjacent markets, such as
those for asset discovery and management, Internet of Things (IoT) security, ZTNA and enabling
campus network endpoint segmentation.

■ The smaller NAC vendors tend to have a regional presence, focus on midsize and small
organizations, or primarily serve certain sectors, such as education and hospitality.

Recommendations
Security and risk management leaders responsible for network and endpoint security should:

■ Implement NAC products that partner with existing network infrastructure to form simple
integration and security solutions that improve automated security responses and lower the
overall operating overhead for the NAC products.

■ Focus primary evaluation criteria for NAC solutions on vendors’ abilities to meet their
organization’s goals, such as for discovery and device visibility, preconnect or postconnect
https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 1/18
3/10/22, 7:01 PM Gartner Reprint

authentication, and ease of use, rather than on detailed technical comparisons of solutions.

■ Plan a multiphase implementation effort requiring commitment from multiple teams including
executives and networking, endpoint, service desk and security staff — even for organizations that
are only moderately complex.

Market Definition
This document was revised on 2 November 2021. The document you are viewing is the corrected
version. For more information, see the Corrections page on gartner.com.

Commercial NAC providers fall into two categories: pure-play NAC vendors and network
infrastructure vendors.

Pure-play NAC vendors have dedicated solutions that support heterogeneous networking devices.
They provide both open-source products (with paid-for support) and commercial products. Due to
their focus on multivendor support and integration, pure-play NAC solutions integrate with a wide
range of security products, such as firewalls and endpoint protection platforms (EPPs).

Network infrastructure vendors typically use a Remote Authentication Dial-In User Service (RADIUS)-
based method to control access to a network by devices, in combination with user access control
based on identity (authentication) and Media Access Control (MAC) authentication. IEEE 802.1X is
the preferred method of implementation.

Market Description
NAC enables organizations to implement policies and control access to corporate infrastructure by
user devices and cyber-physical devices such as IoT and operational technology (OT) devices.
Policies may be based on authentication, endpoint configuration (posture) or users’ role/identity.
NAC can also implement postconnect policies based on integration with other security products.

A NAC architecture includes the capability to visualize devices connected to the network with passive
or active scanning techniques. It also enforces device and user authentication using enforcement
nodes, such as wireless access points and switches, or out-of-band authentication methods. Once
authenticated, NAC products authorize access and assign users and devices to network segments or
quarantine devices based on their security posture. They can authenticate both corporate-owned and
“bring your own device” (BYOD) devices and assign them to the correct network, either corporate or
guest-internet-access-only networks (see Figure 1).

Figure 1: NAC High-Level Architecture

https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 2/18
3/10/22, 7:01 PM Gartner Reprint

Organizations looking to evaluate NAC’s technical merits should divide their technical assessments
into six key areas, which are covered in depth in Toolkit: Sample RFP for Network Access Control:

■ Policy server capabilities

■ Visibility and reporting depth and breadth

■ Device security posture check granularity and integration with existing tools

■ Guest management and identity verification

■ Integration with other solutions to orchestrate security responses

■ Total cost of ownership (TCO)

Market Direction
https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 3/18
3/10/22, 7:01 PM Gartner Reprint

The NAC market continues to provide visibility into, and access control for, organizations’ on-
premises IT infrastructure. However, cyber-physical system (CPS) security needs for IoT and OT
devices continue to drive organizations in sectors such as manufacturing, critical infrastructure and
healthcare to consider CPS-centric security technologies to augment NAC. In addition, organizations
are finding that adjacent technologies such as ZTNA products can enhance their remote and on-
premises security capabilities and augment or even replace NAC products for some narrow use
cases.

Alternatives to NAC Providers

NAC uniquely satisfies multiple security use cases for user and device security on corporate
networks. However, depending on an organization’s need, a combination of different solutions
(highlighted below) in adjacent markets might provide the same features and benefits as those of
NAC providers. It is important for security and risk management leaders to understand the goal of
their NAC implementation in order to determine whether a NAC provider is required or existing
solutions satisfy their requirements.

Zero Trust Network Access (ZTNA)

ZTNA access continues to encroach on traditional NAC use cases. As organizations look to
consolidate a secure access service edge (SASE) framework, ZTNA vendors are expanding to control
remote and local campus user-to-application segmentation controls (see 2021 Strategic Roadmap
for SASE Convergence). However, most ZTNA vendors do not handle asset discovery, headless
device access or on-premises guest device wireless access security. Increasingly, NAC vendors are
offering ZTNA products, which may be integrated or completely independent. For more details and a
list of vendors, see Market Guide for Zero Trust Network Access.

Operational Technology Security

Many CPS security vendors exist, and they often focus on a specific industry. They do not fulfill all the
common use cases for NAC, such as corporate and guest laptop access control, and, therefore, may
offer only partial solutions. More often, their solutions are integrated with an NAC solution or existing
network infrastructure to improve device visibility and control where an agent cannot be deployed.
For more details, see Emerging Technology Analysis: Cyber-Physical Systems Security Is an
Opportunity for Security Product Leaders. For a list of IoT- and OT-specific security vendors, see
Market Guide for Operational Technology Security.

Unified Endpoint Management (UEM)

UEM vendors can often provide per-app VPN connections, as well as endpoint security posture
checks. Many of these vendors can control both remote access and local access to applications, as
long as the applications are published, managed and accessed exclusively through their solution.
The most common scenario is for NAC vendors to integrate with UEM vendors for a simple check for
enrollment and compliance, before allowing access to the network. In 2020, UEM vendor Ivanti

https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 4/18
3/10/22, 7:01 PM Gartner Reprint

acquired NAC capabilities from Pulse Secure. For more details on UEM vendors, see Magic Quadrant
for Unified Endpoint Management.

Market Analysis
Gartner estimates that the NAC market’s revenue in 2020 came to $803 million, up 1.6% from 2019.
This reflects a mature market that is growing slowly, relative to other security markets (see Market
Share: Enterprise Network Equipment by Market Segment, Worldwide, 4Q20 and 2020). The
estimated CAGR for the NAC market for the period 2020 through 2025 is 5.1% (see Forecast:
Enterprise Network Equipment by Market Segment, Worldwide, 2019-2025, 1Q21 Update).

The past few years have brought few new entrants to this market and some consolidation through
acquisitions. In addition to Ivanti’s acquisition of Pulse Secure in 2020, Akamai acquired Inverse in
2021.

Organizations implement NAC solutions to:

■ Pursue a preconnect or postconnect authentication approach. The preconnect authentication

approach can be thought of as a “guilty until proven innocent” model (“default deny”), whereas
postconnect authentication can be considered an “innocent until proven guilty” model (“default
allow”).

■ Gain visibility into on-premises infrastructure-connected devices with the goal of implementing
access policies These devices include commonly used ones like workstations, laptops, printers, IP
phones, IP cameras, access points, and IoT devices like OT, medical and building automation
devices. Often, this motivation is driven by audit findings or an overall security strategy requiring
authentication of all devices on a network.

■ Improve management of corporate network access for different types of users, such as
employees, contractors, consultants and guests, using either corporate-owned or user-provided
endpoints.

■ Analyze compliance with a minimum security posture at an endpoint and provide a quarantine
network for devices not in compliance. They may, for example, want to verify that an endpoint has
an EPP installed, and that most critical security patches are installed. As long as those conditions
are not met, the endpoint is allowed access only to a quarantine virtual LAN (VLAN).

■ Enable interoperability with other security solutions. This can be achieved in two ways:
customization through open APIs or the use of built-in integration. NAC solutions increasingly
feature anomaly detection capability to detect infected endpoints and MAC spoofing attempts on
a network. However, integration with other security tools creates a better overall security context
for an organization, which can be used to respond automatically to infected endpoints by
quarantining them and thus preventing the spread of malware.
https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 5/18
3/10/22, 7:01 PM Gartner Reprint

NAC deployments remain primarily on-premises undertakings that require hardware or virtual
appliances, but increasingly vendors are extending their management capabilities to the cloud or
providing cloud-based RADIUS services. These offerings provide a way to consolidate management
of distributed NAC implementations through the cloud, rather than over private networks. Some
solutions integrate with additional products or provide brokers that can be deployed to help bridge
on-premises networks and cloud management functions.

Figure 2 shows NAC’s base-level features, optional integrations and emerging use cases.

Figure 2: NAC Features

Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to
provide more understanding of the market and its offerings.

Market Introduction
The vendors in this Market Guide offer at least the capabilities listed in the Market Definition section
(see Table 1).

Table 1: Representative Vendors in Network Access Control

Vendor Product, Service or Solution Name

https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 6/18
3/10/22, 7:01 PM Gartner Reprint

Vendor Product, Service or Solution Name

Akamai (Inverse) PacketFence

Auconet Auconet Business Infrastructure Control Solution (BICS)

Cisco Cisco Identity Services Engine (ISE)

CommScope Cloudpath Enrollment System

Extreme Networks ExtremeControl

ExtremeCloud A3

Forescout Forescout Platform

Fortinet FortiNAC

Genians Genian NAC

Hewlett Packard Enterprise (Aruba) Aruba ClearPass

InfoExpress Easy NAC

CGX

macmon secure macmon NAC

Netshield Netshield

https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 7/18
3/10/22, 7:01 PM Gartner Reprint

Vendor Product, Service or Solution Name

Open Cloud Factory OpenNAC Enterprise

OPSWAT (Impulse) MetaAccess NAC

Portnox Portnox CLEAR

Portnox CORE

Pulse Secure (acquired by Ivanti) Pulse Policy Secure (PPS)

Source: Gartner (June 2021)

Vendor Profiles
Akamai (Inverse)
Akamai acquired Inverse, a privately held company based in Montreal, Quebec, Canada, in February
2021. Inverse manages the PacketFence NAC solution, which is completely free and open-source.
PacketFence is a RADIUS-based solution, and Inverse delivers consulting services and product
support for the software.

PacketFence includes a captive portal for registration and remediation. It uses in-house-developed
Fingerbank technology to leverage profiling capability. The Fingerbank solution is a set of device
fingerprints that identifies endpoints connected to network infrastructure. Inverse provides advanced
auditing capabilities to PacketFence and a cloud version of PacketFence for MSSPs. Updates in
PacketFence over the past year have included improved multitenancy support for MSSPs and
improved Layer 3 replication over high-latency WAN connections, enabling PacketFence to secure
even larger widely distributed networks. Other updates have included roles inheritance with dynamic
access control lists, performance and ease-of-use updates in the administrative GUI, and a live log
viewer that enables real-time display and filtering of PacketFence logs directly in a web browser.

Auconet
Auconet is a privately held company with headquarters in Germany and sales and consulting teams
in Western Europe, Eastern Europe and North America. It has been delivering NAC solutions since

https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 8/18
3/10/22, 7:01 PM Gartner Reprint

2005. It has integrated NAC security and network troubleshooting capabilities into one solution for
operations and security use cases for heterogeneous networks. Auconet works directly with global
enterprises and with managed security service providers (MSSPs) that offer large-scale, multitenant,
managed NAC services.

The Auconet Business Infrastructure Control Solution (BICS) is deployed most commonly as an
agentless solution, using Layer 2 MAC-based authentication in addition to its RADIUS-based policy
server, which supports native 802.1X supplicants embedded in multiple OSs. However, Auconet also
offers its own agents. BICS is available as a hardware appliance, a virtual appliance and SaaS.
Auconet also offers an optional permanent agent on Windows, UNIX/Linux platforms and macOS.
Endpoint visibility can also be enhanced through integration with Wi-Fi vendors. In the past year,
Auconet BICS’s NAC has increased its scalability for securing up to 1 million endpoints per appliance.
It has also improved its integration with BICS Asset Management (providing detailed visibility for IT
and OT infrastructure), and improved its integration with third-party systems to provide detailed
endpoint, asset and life cycle information.

Cisco
Cisco’s Identity Services Engine (ISE) is based on the IEEE 802.1X standard. Cisco supports multiple
authentication methods, such as software agents (supplicants), web authentication, VPN, passive
identity, SAML single sign-on and preshared keys (PSKs). ISE is available in hardware appliances, as
a virtual server and as a public cloud IaaS instance (Amazon Web Services [AWS]). ISE is one of the
most popular NAC solutions. Through its pxGrid framework, Cisco integrates with its own security
products and with third-party solutions. pxGrid enables ISE to share alerts and contextual information
between other security products to increase visibility and enable informed policy decisions. Cisco
packages its NAC agent (supplicant) with its AnyConnect endpoint bundle.

Cisco ISE can function as a stand-alone NAC solution or as part of a software-defined access (SDA)
solution through its integration with the Cisco DNA Center for automated and unified policy
enforcement (SDA is a software-defined network solution designed for campus networks). In the
past year, Cisco has introduced AI Endpoint Analytics — an AI-enhanced endpoint enumeration,
classification and inventory solution. AI Endpoint Analytics requires the DNA Center and ISE and is
positioned as a value-added feature of SDA. Cisco has also improved some usability features by
introducing guided workflows for advanced tasks, thus easing the administration of some ISE
configurations. Finally, Cisco has increased API support and usability in ISE version 3.0 and
introduced the capability to deploy agentless NAC via endpoint profiling.

CommScope
In 2017, ARRIS acquired Ruckus Wireless; and, in 2019, CommScope acquired ARRIS. CommScope
offers the Cloudpath Enrollment System, which provides NAC functionality for guests, BYOD users,
and IT-owned and IT-managed devices. The Cloudpath Enrollment System supports a variety of
network authentication protocols, including IEEE 802.1X for both wired and wireless networks. It also
https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 9/18
3/10/22, 7:01 PM Gartner Reprint

uses dynamic preshared keys, a CommScope-patented technology that provides enhanced security
features and a better user experience than conventional PSKs.

Cloudpath Enrollment System is available as a virtual machine for on-site deployment or as SaaS.
The service works well for existing Ruckus Wireless customers and for customers with standards-
based networking equipment from other vendors. The Cloudpath Enrollment System has proved
popular with midsize and large businesses, and in verticals such as education. A recently added
tenant-onboarding portal is targeted at the multidwelling unit (MDU) sector.

Extreme Networks
Extreme Networks is based in San Jose, California, U.S. In addition to ExtremeControl (NAC), it offers
other security products (such as Extreme AirDefense from the Zebra Technologies acquisition,
ExtremeGuest for guest wireless security and analytics, and Extreme Defender for IoT, which secures
IoT devices when they connect to the network). Extreme Networks acquired Aerohive Networks in
August 2019 and now offers a cloud-managed NAC (ExtremeCloud A3) in addition to its on-premises
product (ExtremeControl). Extreme Networks targets its NAC solutions at its installed base of
customers, although the solutions can also support non-Extreme Networks environments.

Extreme Networks’ NAC offerings are AAA- and RADIUS-based solutions that are available via
multiple delivery models. Extreme Networks’ tight integration of its NAC solution with its unified
wired/wireless product family enables granular policy enforcement. Policies may permit, deny, apply
quality of service (QoS), rate limit and implement other controls to traffic, based on user identity,
time, location, end system and user group. In addition, Extreme Networks offers virtual machine (VM)
management by applying policy on a virtual switch (vSwitch) and physical switches to manage VM
access through VMware and OpenStack integration. In 2020 and 2021, Extreme Networks added
several enhancements to its NAC solutions. For the on-premises ExtremeControl product, it added a
REST API for Guest and IoT Manager. It also introduced a new test tool to test end-system
connectivity (to simplify troubleshooting). For ExtremeCloud A3, it added network anomaly detection
based on device fingerprinting. It also added Windows Management Instrumentation (WMI)
integration and the ability to test WMI scans.

Forescout
Forescout is a privately held company based in San Jose, California, U.S. The company sells its
Forescout Platform (formerly known as CounterACT) for device visibility and control use cases. It is
one of the most popular NAC solutions. The Forescout Platform consists of multiple products:
eyeSight, eyeSegment, eyeControl, eyeExtend and eyeInspect (formerly SilentDefense). Forescout’s
platform can be deployed on hardware, virtual appliances and public clouds (AWS and Microsoft
Azure) in midsize and large deployments.

Although Forescout offers optional agents and IEEE 802.1X support, its agentless and non-802.1X
approach provides granular device visibility, security posture assessment and endpoint enumeration

https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 10/18
3/10/22, 7:01 PM Gartner Reprint

for Windows, macOS, Linux, IoT and OT devices across heterogeneous networks. Forescout has
integrated eyeSegment and eyeInspect to provide a solution for endpoint enumeration and
segmentation within OT and hybrid IT/OT environments. With the release of version 8.2, Forescout
has overhauled its UI with enhanced security alerting and device inventory views. Forescout provides
a series of eyeExtend modules and crowdsourced Connect apps that share contextual information
and automate workflows with third-party products. Via these modules, eyeControl can be configured
to automatically enforce policy (for example, by removing an endpoint from a network) in response to
alerts from advanced threat detection (ATD), vulnerability assessment, endpoint detection and
response, security information and event management (SIEM), and other IT and security products.
Forescout continues to partner with companies such as Medigate, ServiceNow and Arista Networks
for specialized IoT and OT use cases.

Fortinet
FortiNAC is Fortinet’s NAC product and part of the Fortinet Zero Trust Access suite of products. It
fully integrates with Fortinet’s Security Fabric. FortiNAC can be deployed as a hardware appliance, a
virtual appliance, or in a public cloud. FortiNAC’s API support has enabled it to partner with many
other third-party solution providers to share contextual information and configure network devices.
FortiNAC supports the IEEE 802.1X standard, although it is not reliant on it for discovery or
enforcement. FortiNAC can operate in an agentless mode. FortiNAC can discover endpoints via
inputs from RADIUS, command line interface (CLI), Simple Network Management Protocol (SNMP),
syslog, mobile device management (MDM), Dynamic Host Configuration Protocol (DHCP) and
Lightweight Directory Access Protocol (LDAP) sources. FortiNAC supports up to 20 endpoint
profiling methods and compound profiling rules, which increases the efficacy of endpoint detection
in the absence of an agent. FortiNAC also supports anomaly detection and automated response.
FortiNAC supports profiling capabilities with secure Windows Management Instrumentation (WMI),
secure Windows Remote Management (WinRM), Microsoft Intune, Google Workspace, and passive
traffic scanning leveraging FortiGate Next-generation Firewalls (NGFWs) as traffic sensors.

In its most recent release (version 9.1), Fortinet completed a complete GUI rewrite to make FortiNAC
look and feel like a native component of FortiOS. FortiNAC’s captive portal for guest access was
recently updated and now supports social media account logins for authentication. FortiNAC was
also recently enhanced with greater integration with FortiEDR as part of Fortinet’s push for full
product integration across its portfolio via the Fortinet Security Fabric.

Genians
Genians, which was founded in 2005, has its headquarters in South Korea and a global business
office in San Jose, California, U.S. Genians’ flagship solution, Genian NAC, is a sensor-based NAC
offering that can host its management/policy component in the cloud or on-premises. Genian NAC
stands out for its device detection capabilities through its Device Platform Intelligence (DPI) feature,
which provides visibility by adding business context information (such as a device’s end of life
[EOL]/end of support [EOS] status, manufacture or vendor viability). Genian NAC monitors the life
https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 11/18
3/10/22, 7:01 PM Gartner Reprint

cycle of all IP-enabled devices based on Layer 2/Layer 3 protocols and other sources of information
to increment the device profiling. The database passes to a DPI cloud for profile validation and
shares new profiles with other Genians customers.

Genian NAC achieves access control using Address Resolution Protocol (ARP) enforcement, TCP
reset by switched port analyzer (SPAN) port, RADIUS/DHCP server and agents. Genian NAC also
integrates with several IT security and business solutions for unified policy enforcement. In 2020 and
2021, Genians made multiple improvements to its NAC product. For example, it added the Genians
ZT-NAC Network Traffic Analysis feature. It collects IP flow data from a customer’s network
infrastructure, which provides visibility into traffic patterns, applications and destinations. Also, the
company added the Genians Endpoint Detection and Response feature. Using agent plug-ins,
information is collected from endpoints and sent to the policy server, where it is used for threat
detection. Policy enforcement is achieved via the mechanisms noted above.

Hewlett Packard Enterprise (Aruba)

Hewlett Packard Enterprise (HPE) offers the Aruba ClearPass suite of network access solutions,
including Aruba ClearPass Device Insight and Aruba ClearPass Policy Manager. ClearPass Device
Insight provides enhanced visibility based on AI-powered capabilities in order to perform automatic
classification of unknown devices based on deep packet inspection (DPI)-based discovery and
profiling of devices. Aruba ClearPass Policy Manager offers enforcement and role-based access
control based on RADIUS and non-RADIUS for user, server and OT/IoT devices options, as well as
Terminal Access Controller Access-Control System Plus (TACACS+) for device management
authentication. Deployment options include hardware and virtual appliances with virtual appliance
support for public cloud IaaS.

The latest version of ClearPass (6.8) adds enhanced endpoint posture analysis, which enables a fully
agentless NAC solution. Aruba ClearPass has also improved the integration between ClearPass
Device Insight and Aruba ClearPass Policy Manager for a more seamless user experience. ClearPass
also supports over 150 third-party products via the Aruba 360 Secure Fabric. In April 2021, Aruba
ClearPass was integrated with the Aruba EdgeConnect SD-WAN edge platform, acquired with Silver
Peak. This extends dynamic segmentation capabilities and embedded enforcement via integration
with the Aruba Policy Enforcement Firewall across wired, wireless LAN and SD-WAN connections
using the same roles and policies.

InfoExpress
InfoExpress is a privately held company, based in Santa Clara, California, U.S., focused on providing
two NAC solutions. The Easy NAC solution uses appliances and inexpensive extenders to quarantine
devices for highly distributed organizations without agents or network changes using ARP
enforcement. The CGX solution offers multiple enforcement options for more complex networks,
including RADIUS for 802.1X, in-line (typically used for VPN implementations) and agent-based
Dynamic NAC (DNAC).
https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 12/18
3/10/22, 7:01 PM Gartner Reprint

Both solutions include hardware or a virtual appliance option, and support Windows, macOS and
Linux agents. The NAC solutions correlate data from multiple sources, such as Microsoft Active
Directory, enterprise servers, syslog, Nmap, MDM and agents to support NAC policies. In addition,
Easy NAC can integrate with leading endpoint protection platforms and patch management solutions
to provide agentless compliance checks, as well as quarantine devices based on simple email alerts
or syslog from third-party vendors like SIEM or advanced persistent threat (APT) solution providers.
Updates in the past year have included zero-day behavioral detection and remediation by monitoring
unusual ARP behaviors, in-line enforcement with Easy NAC, high-availability configurations, and
improved integration with EPP and patch management solutions for agentless compliance checks.

macmon secure
Macmon secure was founded in 2003 in Berlin, Germany with a focus on NAC in the European
market. Macmon provides a management appliance that can be hosted on-premises or in a public
cloud and has a Common Criteria (EAL2+) certification. The offering is based on SNMP and 802.1X
and includes support for guest management and BYOD. Macmon offers topology mapping, endpoint
device security, integrated RADIUS, VLAN management and guest services as part of the macmon
Network Bundle. The macmon Premium Bundle includes compliance reporting and management.
Add-on modules include Past Viewer to enable forensic analysis of endpoint authentication and
access events, Switch Viewer to assess switch health across a network, and scalability modules.

Macmon focuses its NAC on simplicity and ease of use, particularly for small and midsize
businesses (SMBs) and large European organizations with heterogeneous environments. Macmon
supports integrations with technology partners such as Barracuda, Check Point Software
Technologies, FireEye, F-Secure, Greenbone Networks and Sophos. Recently, macmon released
enhanced secure authentication to identify endpoints based on cryptographic methods, the ability to
integrate with cloud-based switch management solutions via API, and a new service delivery
platform with an identity and access management offering to secure remote access.

Netshield
Netshield offers a small-business-focused solution with monthly subscription and management
options optimized for MSSPs. Targeting networks up to 4,000 assets, Netshield’s solution can be
deployed virtually or via a hardware appliance. It is a non-in-line solution featuring agentless endpoint
discovery to ensure instant identification of all network devices, including IoT and BYOD devices.

Beyond asset detection, devices that are not trusted, or those that attempt to contact known
malware or phishing sites, are blocked using an ARP poison methodology. Additionally, switch ports
can be shut off and devices moved to a quarantine VLAN via SmartSwitch integration. Netshield also
has an onboard auditing engine to identify common vulnerabilities and exposures. Upon successful
deployment and auditing, Netshield offers the first cyberinsurance of its kind to U.S. customers, with
coverage up to $250,000 at no extra cost to the customer.

https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 13/18
3/10/22, 7:01 PM Gartner Reprint

Open Cloud Factory

Based in Spain, Open Cloud Factory focuses on both IT and OT environments. It targets midsize
businesses, mostly in Europe and Latin America. Its OpenNAC Enterprise solution is offered as a
virtual appliance hosted on-premises, in the public cloud or as a hybrid cloud. The solution has the
flexibility to mix and match active and passive discovery and profile mechanisms. The core policy
engine is primarily based on 802.1X, although sensors can be implemented to provide passive asset
discovery. OpenNAC Enterprise is certified by the Spanish National Cryptology Centre (CCN). The
solution integrates with third-party security offerings, such as SIEM, network firewall and MDM
solutions, through RESTful APIs.

The modular design of OpenNAC Enterprise gives organizations the flexibility to pay only for the
functionality they require. The solution includes seven modules: Visibility, Secure BYOD Adoption,
Compliance (endpoint and Layer 2 to 4 device configuration compliance), Network Segmentation,
Universal Network Access Control, S2SRA Secure Remote Access and Guest Access Control. For the
authentication process, it can integrate with multiple LDAPs and directories, and it may also include a
second factor authentication. In 2020, Open Cloud Factory integrated with Fortinet and several other
SD-WANs, so that OpenNAC Enterprise can share asset information (real-time, centralized
configuration management database [CMDB]/inventory) to automate routing and filtering rules. The
company also introduced a secure remote access module (2SRA) that gives visibility into traffic
flowing to and from a network over VPN connections (it can complement existing VPN deployments,
in addition to offering an alternative).

OPSWAT (Impulse)
OPSWAT is based in Tampa, Florida, U.S. It was founded in 2002 with a focus on protecting critical
infrastructure. OPSWAT MetaAccess NAC (formerly SafeConnect, an offering acquired in 2019 with
Impulse) is offered as a virtual instance, either on-premises or in the cloud, with remote managed
services. The services include system monitoring, problem determination and resolution, daily
updates to device type, antivirus and OS profiling recognition, and remote backup of policy
configuration data.

MetaAccess NAC offers 802.1X and non-802.1X RADIUS-based policy enforcement options at Layer
2 or Layer 3. This solution can be agentless, enabling visibility, assignment and blocking of
unauthorized devices. Optionally, it can include a lightweight agent to provide real-time posture
assessment of a device. Recent updates include integration with MetaAccess Advanced Endpoint
Protection, to provide deeper compliance checks, vulnerability and patch management, and
multiscanning technology. A new focus has been to support OT environments with Precision Time
Protocol (PTP) switch integration, a common requirement in critical infrastructure industries.

Portnox
Portnox is a pure-play NAC vendor that operates mainly in the Americas and EMEA. It typically
targets midsize and larger enterprises. The company offers two NAC solutions: Portnox CORE and
https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 14/18
3/10/22, 7:01 PM Gartner Reprint

Portnox CLEAR.

Portnox CORE is an on-premises solution implemented via software or virtual appliances as an

agentless solution based on endpoint discovery. When Portnox CORE detects that a device has
connected to a network, it checks the device’s risk posture and applies the appropriate policy to the
network access point (for example, a LAN switch or wireless access point). Portnox CORE can also
extend access control capabilities to IoT devices.

Portnox CLEAR is a cloud-delivered NAC-as-a-service offering with foundational technology based on

802.1X and a RADIUS server hosted in the cloud. Portnox CLEAR offers integrations with cloud
authentication directories such as Microsoft Azure, Google Workspace and Okta. It also includes a
self-enrollment onboarding portal (agentless) or a dedicated agent supporting iOS, Android,
Windows, Linux and macOS devices. Using dynamic policies, Portnox CLEAR enables organizations
to profile and authenticate connected inventory and its owners (managed devices, IoT devices or
BYOD devices) and to authorize access to networks or subset VLANs. In 2020 and 2021, Portnox
enhanced its CLEAR service by adding certificate life cycle management and TACACS+ services. To
strengthen CLEAR’s appeal to managed service providers (MSPs), Portnox upgraded its multitenant
management functionality.

Pulse Secure (acquired by Ivanti)

Pulse Secure (acquired by Ivanti) was created in 2014 when private equity firm Siris Capital acquired
the Junos Pulse product line from Juniper. In December 2020, Ivanti announced that it had acquired
Pulse Secure and MobileIron to enhance its endpoint management and zero trust portfolio. In
addition to its NAC solution, Pulse Policy Secure, the company offers its Pulse Access Suite of
integrated Connect Secure (VPN), Pulse Zero Trust Access (PZTA), Virtual Application Delivery
Controller (vADC) and a mobile security solution. The Pulse Policy Secure NAC solution is RADIUS-
based, inclusive of 802.1X, MAC authentication, TNC, SNMP, TACACS+ and other standards. It is
available as a family of hardware and virtual appliances. Pulse Policy Secure supports integrated
NAC, zero trust access and VPN access in a heterogeneous network infrastructure.

Pulse Secure (acquired by Ivanti) works with a broad range of security and network products. It offers
a central management console, including one agent for its portfolio (VPN, zero trust access, NAC and
mobile management) and enhancement in the profiling feature. Pulse Secure’s NAC product includes
user and entity behavior analytics (UEBA) anomaly detection, alert-based integration with Nozomi
Networks for OT threat detection and response, agentless profiling, and support for hosting Pulse
Policy Secure in Azure and AWS. As part of Ivanti, the product will continue to gain capabilities by
integrating with Ivanti Neurons for Discovery to strengthen its support for IT and OT convergence use
cases.

Market Recommendations

https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 15/18
3/10/22, 7:01 PM Gartner Reprint

Organizations should focus on integration with existing infrastructure, total implementation cost,
alignment with organization type (size and industry) and vendors to distinguish between solutions.
Most organizations only need to implement a single NAC solution and therefore should seek to
consolidate if multiple NAC solutions exist within their environment. Multiple NAC solutions generally
occur as a result of mergers and acquisitions or complex organizations making independent buying
decisions.

Given the range of solutions available, we recommend that you:

■ Focus on vendors that target organizations of your size and complexity and, in some instances,
industry or region. Because NAC is a mature market, many vendors are clearly aligned with SMB
and large-enterprise opportunities or specialize in certain industries and regions such as Europe
and Southeast Asia.

■ Align NAC projects with any zero trust security architecture initiative, as NAC can be a primary
means of achieving device visibility and a default-deny approach for devices connected to internal
networks.

■ Undertake an initial network inventory before selecting an NAC vendor. This will influence your
decision, based on the capabilities of your network switches and routers. It will also help with
budgeting, as many NAC vendors license on the basis of the number of IP addresses protected.

■ Determine which UEM solutions are already installed on the network in order to identify providers
that have direct integration with existing UEM solutions.

■ Implement NAC to deliver visibility (for example, into which devices are connected to your
network) and control (allow or deny access) over your corporate network. Integrate with existing
asset management solutions bidirectionally to help maintain an accurate list of devices connected
to your organization.

■ Use the postconnect functionality of your NAC solution. Most NAC products integrate with
multiple security products. Configure NAC to automatically enforce policy when your threat
detection solution (for example, a network sandbox) alerts that an endpoint has been
compromised. NAC can automatically remove an endpoint from the network, or it can enforce
another policy that limits an endpoint’s ability to communicate externally.

Clients should evaluate which security solutions their organization is using to see if they exist in the
list of built-in integrations available from the NAC vendor. This simplifies integration, as it saves than
having to make your own integrations using available APIs. In addition, future security roadmaps may
dictate deployment of adjacent features, such as SASE frameworks including ZTNA features. ZTNA
addresses some narrow NAC use cases for user to application segmentation and may influence the

https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 16/18
3/10/22, 7:01 PM Gartner Reprint

overall scope of a NAC implementation when considering both remote and on-premises security
authentication and authorization policies for devices and users.

Acronym Key and Glossary Terms

Cyber- Engineered systems that orchestrate sensing, computation, control,
physical networking and analytics to interact with the physical world (including
systems humans) and enable safe, real-time, secure, reliable, resilient and adaptable
(CPSs) performance.

Unified A set of offerings that comprise mobile device management (MDM), modern
endpoint management of traditional endpoints (PCs and Mac) and integration with
management client management tools (CMTs) and processes.
(UEM)

Zero trust Products that create an identity- and context-based, logical access boundary
network around an application or set of applications. The applications are hidden
access from discovery, and access is restricted via a trust broker to a set of named
(ZTNA) entities. The broker verifies the identity, context and policy adherence of the
specified participants before allowing access.

Note 1
Representative Vendor Selection
The vendors listed in this Market Guide are representative of the network access control market. We
did not include vendors where the NAC solution is sold as a feature of other products.

Note 2
Gartner’s Initial Market Coverage
This Market Guide provides Gartner’s initial coverage of the market and focuses on the market
definition, rationale for the market and market dynamics.

https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 17/18
3/10/22, 7:01 PM Gartner Reprint

© 2022 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its
affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written
permission. It consists of the opinions of Gartner's research organization, which should not be construed as
statements of fact. While the information contained in this publication has been obtained from sources believed to
be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment
advice and its research should not be construed or used as such. Your access and use of this publication are
governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its
research is produced independently by its research organization without input or influence from any third party. For
further information, see "Guiding Principles on Independence and Objectivity."

About Careers Newsroom Policies Site Index IT Glossary Gartner Blog Network Contact Send
Feedback

© 2022 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

https://www.gartner.com/doc/reprints?id=1-2934QFQ4&ct=220210&st=sb 18/18