Network access control decides who gets on your network. Zero Trust Network Access decides who gets to your applications. Most mid-market IT teams need both, plus a third layer for the devices that support neither. This guide breaks down how NAC and ZTNA work, where they overlap, and how to close the gap that both leave open.
What is network access control?
Network access control is a Layer 2/3 technology that gates physical and wireless network access based on device identity, user credentials and endpoint health. It uses the 802.1X standard with a RADIUS server to authenticate devices at the switch port before they receive an IP address. Devices that fail posture checks land in a quarantine VLAN. NAC answers one question: should this device be allowed onto the network at all?
The process involves three components. The supplicant is software on the endpoint that presents credentials. The authenticator is the switch or wireless access point that blocks traffic until authentication succeeds. The authentication server, typically RADIUS, checks credentials against policy and returns a permit or deny decision. Once authenticated, the switch can assign a VLAN or apply an access control list to restrict what the device can reach.
EAP-TLS with digital certificates remains the strongest 802.1X method. It removes the password-theft risk that plagues simpler EAP variants. For organisations that already run a certificate authority, this is the path worth taking.
NAC also performs device profiling. It inspects DHCP fingerprints, SNMP data and traffic patterns to identify what type of device has connected. This matters most for endpoints that cannot run a supplicant, which we will return to shortly.
How ZTNA works differently
ZTNA operates at Layer 7. Instead of granting a device a spot on the network, it creates an encrypted, per-application tunnel between the user and a specific resource. The rest of the network stays invisible.
The model works through a broker architecture. A lightweight connector inside the data centre or cloud establishes an outbound connection to a trust broker. Users authenticate against the broker, which verifies identity, checks device posture and evaluates context (location, time, risk score) before stitching the connection to the target application. No inbound ports need to be open. No network segment is exposed.
Where NAC authenticates once at connection time, ZTNA platforms like Jimber verify continuously. If a device’s posture degrades mid-session, or if behaviour anomalies appear, access can be revoked in real time. This is a fundamental shift from the “authenticate once, trust forever” model that NAC and VPNs share.
For remote and hybrid workers, ZTNA removes the VPN bottleneck entirely. Users connect to applications directly, whether they sit in the office, at home or on a client site. The experience is faster, the attack surface smaller, and the compliance evidence cleaner. Our Zero Trust architecture guide covers the broader framework in detail.
NAC vs ZTNA compared
The two technologies solve different problems at different layers. Understanding where each excels prevents wasted investment.
| Criterion | NAC | ZTNA |
|---|---|---|
| OSI layer | Layer 2/3 (port and network) | Layer 7 (application) |
| Primary scope | Campus network admission | Application access everywhere |
| Authentication model | Point-in-time at connection | Continuous per session |
| Remote user support | Limited (campus-focused) | Native (location-independent) |
| Visibility | Network segment level | Per-application, per-user |
| Agentless device handling | MAC Authentication Bypass | Requires agent (gap) |
| Lateral movement prevention | VLAN-based (coarse) | Application isolation (granular) |
| Compliance evidence | Port-level logs | Identity + posture + app-level audit trail |
| Typical deployment time | 6-12 months (enterprise NAC) | Weeks to months |
| Cost model | CapEx hardware + perpetual licences | Per-user subscription |
NAC controls whether a device may sit on the network. ZTNA controls whether a user may reach a specific application. Neither alone covers the full picture. And both share a blind spot that deserves its own section.
The agentless device problem both approaches share
Roughly 21 billion IoT devices are connected worldwide, and the number keeps climbing. In manufacturing environments, a single facility can have hundreds of PLCs, HMIs, sensors and cameras on the network. Healthcare facilities run MRI scanners, infusion pumps and patient monitors. These devices share one characteristic: they cannot run a ZTNA agent or an 802.1X supplicant.
NAC handles them through MAC Authentication Bypass (MAB). The switch identifies the device by its MAC address and assigns it to a designated VLAN. The problem is obvious. MAC addresses can be spoofed in seconds. An attacker who clones the MAC of an authorised printer gains whatever network access that printer had. MAB also tends to grant broader access than necessary because maintaining per-device ACLs at the switch level is operationally painful.
ZTNA simply cannot reach these devices. No agent means no identity verification, no posture check, no per-application tunnel. Most ZTNA vendors quietly ignore this gap or suggest “network segmentation” as if that solves it.
Inline isolation offers a third path. Jimber’s Network Isolation Access Controller (NIAC) sits physically between the agentless device and the network. It enforces per-device communication rules at the hardware level. A camera can talk to its recording server. A PLC can reach its SCADA controller. Everything else is blocked by default. No MAC trust, no broad VLAN access, no agent required.
For manufacturing environments where downtime is measured in millions per hour, NIAC provides isolation without touching the device’s firmware or disrupting production. The device does not know it is being controlled. It simply works, within tightly defined boundaries.
Why the answer is “both, plus inline isolation”
The honest answer to “NAC or ZTNA?” is neither alone. A layered model works best.
ZTNA for all user-to-application access. Whether the user is on campus or remote, every application connection should go through identity verification, device posture checks and per-app tunnelling. This is where Jimber’s ZTNA provides the foundation. It replaces VPN, enforces least privilege, and generates the audit trail that NIS2 and CyFun auditors expect. Read our overview of the five Zero Trust principles that drive this model.
NAC for campus admission control. If your office runs managed switches with 802.1X, keep that layer active. It prevents unknown devices from getting a network address in the first place. For organisations moving toward a “cafe-style” campus where the office network provides only internet access and all application traffic flows through ZTNA, campus NAC becomes less critical for laptops but remains valuable for network hygiene.
NIAC for agentless devices. Every printer, IP camera, industrial controller and IoT sensor that cannot run an agent needs inline isolation. Jimber’s NIAC hardware brings these devices under Zero Trust controls without the common ZTNA mistakes that occur when teams try to force-fit agent-based models onto agentless environments.
The operational advantage of running ZTNA and NIAC from the same platform is significant. Jimber manages both from a single cloud console with unified policy, logging and reporting. For IT teams that already juggle too many tools, this removes a silo. For MSPs managing dozens of customer environments, it means one multi-tenant platform instead of separate NAC and ZTNA stacks per customer.
This layered approach also simplifies NIS2 compliance. The CyberFundamentals framework requires access control, network segmentation, device management and continuous monitoring. ZTNA delivers access control and audit trails. NIAC delivers segmentation for agentless devices. A single console delivers the reporting. One platform, three controls covered.
How to migrate from legacy NAC to a layered model
You do not need to rip out your existing NAC overnight. A phased approach keeps risk low and demonstrates value at each step.
Phase 1: Replace VPN with ZTNA. Start with remote access. VPN concentrators are the number one target for ransomware groups, and replacing them with ZTNA cuts the attack surface immediately while improving user experience. Pick two or three high-usage, low-risk applications for the pilot.
Phase 2: Extend ZTNA to campus users. Once remote access is running, roll ZTNA out to on-campus users for application access. Your existing NAC continues to handle network admission. The two coexist without conflict because they operate at different layers.
Phase 3: Isolate agentless devices. Identify the devices on your network that rely on MAB or sit on flat segments with overly permissive rules. Deploy NIAC hardware for the highest-risk devices first: industrial controllers, medical equipment, building management systems. Work outward from there.
Phase 4: Evaluate campus NAC’s future role. As more application access moves through ZTNA, your campus NAC’s scope narrows. Some organisations will maintain it for basic admission control. Others, particularly those adopting BYOD without complexity, will simplify to open network access with all security enforced at the application layer through ZTNA. Either approach is valid. The point is that you now have a choice.
Frequently asked questions
Can ZTNA fully replace NAC?
For user-to-application access, yes. ZTNA makes network-level admission irrelevant for managed endpoints because the network itself grants no application rights. But for campus network hygiene and as a first gate against rogue devices, NAC retains value. The real question is whether your organisation benefits enough from campus NAC to justify its operational cost, or whether ZTNA plus NIAC covers your actual risk surface.
What is MAC authentication bypass and why is it risky?
MAB is the fallback mechanism NAC uses for devices that cannot run an 802.1X supplicant. The switch authenticates the device using only its MAC address. Because MAC addresses are easily cloned, MAB provides no real identity assurance. An attacker with physical access to a network port can impersonate any MAB-authorised device and inherit its network permissions.
How do you secure devices that cannot run agents?
Inline isolation hardware like Jimber’s NIAC places a physical enforcement point between the device and the network. The NIAC allows only explicitly permitted traffic flows for each device. It does not require any software on the endpoint, does not modify the device’s configuration, and encrypts data in transit even if the device itself has no encryption capability.
Is NAC still relevant in a Zero Trust model?
NAC addresses a layer that ZTNA does not: physical network admission. In a strict Zero Trust model where applications are only reachable through ZTNA, the network itself carries less trust. NAC can still prevent rogue devices from consuming bandwidth, launching local attacks or serving as pivot points. Whether that justifies the cost depends on your environment. Organisations with large campus networks and many physical ports will see more value than those with primarily remote workforces.
Does Jimber include NAC in its SASE platform?
Jimber’s platform focuses on ZTNA, Secure Web Gateway, Firewall-as-a-Service and SD-WAN, managed from a single console. For agentless devices, NIAC hardware provides inline isolation that addresses the gap where both NAC and ZTNA fall short. If you run existing NAC infrastructure, Jimber’s ZTNA and NIAC layer on top of it without conflict.
What does this mean for NIS2 compliance?
NIS2 and the Belgian CyberFundamentals framework require access control, network segmentation and continuous monitoring. ZTNA provides identity-based access with full audit trails. NIAC provides segmentation for devices outside ZTNA’s reach. Together they cover the technical controls auditors check, with evidence generated automatically from a single platform.
Ready to see how ZTNA and NIAC work together for your environment? Book a demo with Jimber and get a practical assessment of your network access architecture. No complex projects, no hidden costs, just a clear path from legacy access control to Zero Trust.
