Examples of usage

Figure to illustrate the functionality of the PNAC-solution: Internal employees / devices:

Often there are troubles if an employee has to temporarily change his working place within the company, for example from the office area to the secure production department. With hs2n PNAC and its dynamic VLAN-matching this is easy to manage.

The MAC address of the connected device is send to a switch which forwards the address to a RADIUS server. The mapping of the VLANs for this MAC-address is verified by the configuration management database (CMDB) which is synchronized with the high-available radius-database. The concerning VLANs are sent back to the switch and are assigned to the newly connected hardware.

The access control is independent of place, switch and port. Therefore an employee has the same access rights no matter where he/she is connected. This is a high advantage for example during meetings and presentations.

Furthermore a check of installed updates, patches and virus patterns will be done on the connected device. If this check is negative the hardware will be moved into a quarantine-VLAN. A client agent will recognize this, force, if permitted, an update function and inform the administrator. As soon as the network device is up to date again, it will be automatically moved into the regular network.

External persons / devices

Because of security reasons external people often have no access to the internal company network, but they might need data out of it.

hs2n PNAC simplifies the management of external devices. If a person (customer, guest, sales representative, etc.) doesn’t need internal access, the device will not be registered. So after connecting the device to the network, it won’t be recognized as privileged and it will be automatically moved into a guest VLAN, which only provides internet access.

If the person needs access to the internal network, permissions have to be set once. But these permissions are isolated and minimized so that no damage will be caused (for example because of viruses).

Because of the hardware identification (e.g. via MAC address) these permissions can be defined by assigning different VLANs (Virtual Local Area Network). If the hardware is connected to a network (LAN or WLAN), it will be identified, checked and automatically assigned to a VLAN, without bothering the administrator.