Guest Networking & Role Based Access Control


Guest Networking Made Easy

ForeScout CounterACT can automatically provide network access for guests and contractors, without compromising your internal network security. Automation relieves your IT staff from administrative burden.

Challenges of Guest Networking

When guests or contractors come to work at your location, they bring their own computers. To remain productive, they need to access the Internet. The contractors you hire may need more than Internet access, they may need access to certain resources on your network. For example, auditors need access to the financial records and accounting systems.

If you leave network ports in conference rooms and work cubes in the “open” state, guests may access your network by simply plugging into the wall. However, this is dangerous because the guest’s device might have malware on it, and the guest may try to access sensitive data on your network.
IT risk management is about minimizing the probability of data loss through security breaches. One way to solve the security problem is to keep your network ports closed by default. But this places a large burden on your IT staff who will need to manually open the ports and create temporary accounts for each guest.

Another solution is to purchase a dedicated external Internet connections for use by guests. But this solution is expensive and inflexible.

ForeScout CounterACT solves these problems.


  • Guest registration. ForeScout CounterACT includes a built-in automated process which allows guests to register for access to your network without compromising your internal network security. CounterACT includes several guest registration options allowing you tailor the guest admission process to your organization’s needs.
  • Automated guest detection. ForeScout CounterACT has several built-in mechanisms which allow it to distinguish guests (or unknown devices) from corporate (or known) devices.  These mechanisms include:
    • Did the device successfully authenticate with your directory (802.1X, LDAP, RADIUS, Active Directory, Oracle or Sun)?
    • Does the device match a known whitelist?
    • Is the device connecting from a known MAC and IP pair?
    • Is there a “watermark” on the device?
    • Is the device running a specific process?
    • Is there a specific registry key?
  • Registration approval. ForeScout CounterACT can automatically approve guest registration requests, or the request can be routed to one or more individuals in your organization for approval.
  • Guest verification. Once a guest’s registration has been approved, ForeScout CounterACT can verify the identity of the guest by sending a one-time verification code to their email address or to the mobile phone number they entered in their registration form. The user is requested to enter the code before attempting to login.
  • Role-based access. After admitting a guest device onto the network, CounterACT will limit network access as defined within the CounterACT policy engine. The level of access may be:
    • Internet-only
    • Full network access
    • Limited network access based on who the guest is (e.g. a particular contractor)
  • Pre-admission inspection. ForeScout CounterACT can optionally inspect each guest user’s device to ensure that it is compliant with your security policies prior to allowing it onto your network.
  • Continuous monitoring. Once CounterACT admits an endpoint onto your network, CounterACT continuously monitors the endpoint to ensure that it remains compliant with your security policies and uninfected.
  • Built-in reports. See who has been on your network, which days, and where they were.
  • ControlFabric Integration. The information generated by ForeScout CounterACT can be exported to your existing GRC or reporting systems. Integrations are available for most leading SIEM systems, and end-users can build custom integrations with the Open Integration Module.


  • Improved productivity: ForeScout CounterACT allows guests and contractors to work efficiently while they are on your premises. CounterACT granst the right level of network access to each person and device, without intrusive intervention or software installation.
  • Improved visibility: ForeScout CounterACT lets you see who has been on your network, which days, and where they were connecting.
  • Better security: ForeScout CounterACT has three mechanisms to ensure that guests do not threaten the security of your network:
    1. CounterACT limits guest access, preventing them from accessing sensitive resources
    2. CounterACT can ensure that guest devices meet your security policies while they are connected to your network
    3. CounterACT can continuously monitor guest systems to ensure that they do not attack your network.
  • Cost savings: ForeScout CounterACT lets you eliminate manual labor associated with opening or closing network ports for guest access. If you have been dedicating separate Internet connections for use by guests, you can decommission these lines and save money.

Product Tours

Product Demonstrations

Guest Network Management

Watch how ForeScout CounterACT lets IT managers control who can access a network, and limit network access for security purposes.

Product Screenshots

Click image to enlarge.

Guest Registration

ForeScout CounterACT allows guests to register for access to your network.

Compliance Corporate Host

ForeScout CounterACT gives you real-time visibility to who is on your network, including the location and security posture of guest computers.