Network Access Control & NAC Solutions


The Problem

Today’s enterprise networks contain a vast and increasing range of devices—traditional computers, mobile devices, industrial controls, virtualized servers, and cloud-based applications, among other things. This diversity will only accelerate as hybrid IT environments and the “Internet of Things” become the norm. Outdated network access control policies, such as “block everything that is not owned by the organization,” stifle business productivity by increasing help-desk call volumes and creating more business disruption. To roll out an efficient and effective network access control system, IT security managers need the following:

  • Network device visibility and information. This must include device type user identity and role, device location, and its level of compliance with organizational security policies.
  • A flexible and granular policy engine combined with a range of control options. This includes the ability to configure the NAC product to provide the right action for each situation automatically, without the need for human involvement.
The ForeScout Solution

ForeScout CounterACT™ gives real-time visibility to users, devices, operating systems and applications that are connected to the network. CounterACT incorporates a comprehensive, high performance host interrogation engine and provides an abundance of information about what is on that network.

Unlike legacy NAC products, which use heavy-handed controls that disrupt users without ensuring response, ForeScout CounterACT provides an extensive range of automated controls that preserve the user experience and keep businesses running to the maximum extent possible. These automated controls include:



User Enforcement and Education Application Control and Remediation
  • Open trouble ticket
  • Send email to user or administrator
  • Create traps
  • Syslog
  • Personalized web message (network use policy, self remediation, etc.)
  • Auditable end-user acknowledgement
  • Force authentication/password change
  • Log-off user, disable user AD account
  • Application start or stop
  • Peer-to-peer/IM start or stop
  • Apply updates and patches
Network Access Control Application Control and Remediation
  • Port disable (802.1X, SNMP)
  • VLAN control
  • VPN disconnect
  • ACL block at the switch, firewalls and routers
  • Wireless allow/deny
  • Quarantine until the devices is remediated
  • Application start or stop
  • Peer-to-peer/IM start or stop
  • Apply updates and patches
Traffic Control Operating System Control & Remediation
  • Virtual firewall
  • Update network ACL (switch, router, firewall)
  • Patch/hotfix update
  • Registry configuration
  • Process start/stop
Device Control
  • Disable NIC
  • Shutdown PC
  • Disable use of peripheral device


ForeScout CounterACT for Network Access Control automatically enforces whatever network access policies you desire for your organization. For a list of product features, see our product page. At a high-level, these are the important features that you should look for in a NAC product:

  • Easy to deploy. Look for a product that:
    • Works with your existing network infrastructureyour switches, without requiring them to support 802.1x
    • Is agentless. Products that require you to deploy agents to desktops are not only difficult to deploy, but they are inherently unable to deal in a sophisticated way with unmanaged devices such as personal laptops, smartphones, network equipment such as printers, diagnostic equipment, etc.
    • Has few moving parts. The fewer appliances, servers, and software that you need to install and configure the better.
  • Wide range of enforcement actions. Look for a product that includes these characteristics:
    • Monitor-mode which lets you detect (and report on) policy violations without taking action.
    • Notifications which let you send emails or HTTP hijacks to endusers who violate policies
    • Auto-remediation which lets you automatically fix security problems such as operating system vulnerabilities, broken security agents, etc.
    • Disable actions such as unauthorized USB memory sticks, unauthorized applications
    • Restrict traffic to certain portions of the network
    • Block network access using a wide range of technologies such as 802.1x, SNMP, ACL management, TCP reset
  • Automated guest registration. Look for a product that identifies guests trying to access your network and gives them an opportunity to automatically request and receive permission to use your network, similar to the system used in hotel lobbies.
  • Automatic detection of printers. Look for a product that can automatically detect network devices such as printers, VoIP phones, switches, and other equipment. The NAC product should not require you to manually update a list of such devices.
  • Post-connect monitoring. Look for a product that will monitor a device after it has been admitted to the network, checking to ensure that it does not begin to behave in a threatening manner.


ForeScout CounterACT’s automated security control system helps organizations improve security while saving money.

Improve security
CounterACT ensures that:
  • Unauthorized users and devices are not on your network.
  • Unsanctioned applications are not on your network.
  • Authorized endpoints are properly configured;, host-based security applications, such as anti-virus, are installed, running and updated;, vulnerabilities are patched;, and the latest versions of software are installed. This reduces the risk of infection.
  • Encryption and DLP agents are running properly, reducing the risk of network data loss.
  • Users are not able to run unauthorized applications or peripheral devices (e.g. USB memory sticks.) on the network.
Save time and money
CounterACT allows you to:
  • Eliminate manual labor associated with locating systems, opening or closing network ports, and managing guest access.
  • Gain dynamic asset intelligence to streamline inventory management.
  • Automatically detect and categorize network devices such as printers, and automatically grant network access according to policy.
  • Decommission separate Internet connections that are designated for guest usage.
Avoid disruption
Unlike simplistic NAC products that disrupt users with heavy-handed security controls, CounterACT offers:
  • A full spectrum of enforcement and remediation actions ranging from gentle (notifications) to assertive (update software or kill processes).
  • Full-range and fine granularity of policy-based actions that help IT be more successful by working with users, not against them.
Improve productivity
CounterACT allows guests and contractors to:
  • Work efficiently while on premises, on-demand, by policy and through guest sponsorship. CounterACT grants the right level of network access to each person and device, without intrusive intervention or software installation.

Product Tours

Product Demonstrations | Product Screenshots

Product Demonstrations

Tactical Map

ForeScout CounterACT includes a geographical map that allows you to easily manage the security of a large, global enterprise.

802.1X Management

ForeScout CounterACT includes tools to help IT security managers deploy and manage 802.1X.

Port Security

ForeScout CounterACT provides port-based network access control–with or without 802.1X.

Product Screenshots

Click image to enlarge.

Guest Registration

ForeScout CounterACT allows guests to register for access to your network.

Compliance Corporate Host

ForeScout CounterACT gives you real-time visibility to who is on your network, including the location and security posture of guest computers.



Analyst Reports

Solution Briefs

White Papers

Best Practices Guide

Technical Notes


Webinars and Webcasts

Competitive Analysis



Success Stories