Network Access Control (NAC) Guide

Network Access Control (NAC) is a security tool that controls how computers connect to a network. SF State protects wired network ports in public areas with NAC.

If you have other NAC related questions, please submit a service request.

The URL for “Request NAC Services” is:

What is NAC?

Network Access Control, commonly referred to by the acronym NAC, is a security tool that controls how computers connect to a network. SF State uses NAC to authenticate all devices that connect to the campus wired network in public spaces. Please see the list of affected ports (PDF) for the full scope. To view PDF files, please download Adobe Reader.

SF State uses a product called ClearPass OnGuard (with a secureW2 installer) to implement NAC. The SecureW2 installer auto-configures your computer's network settings and OnGuard provides the interface for logging on to the network. When connecting to the campus wired network in a public area, users need to agree to abide by the CSU's Responsible Use Policy and provide active SF State credentials (e.g., SF State ID and password).

Why has SF State Implemented NAC?

During the 2015-16 campus information security audit, the unauthenticated use of the wired campus network was determined to be non-compliant with existing CSU policy. To be compliant, the campus was required to secure access to the wired network. The August 31, 2016 NAC implementation required devices connecting to the wired network in a public area to authenticate.


Who does NAC affect?

NAC affects only computers in public spaces. Computers that are plugged into a network jack in a public space requires the user to authenticate.

The implementation of NAC on the wired network does not affect wireless users (who already use NAC), users who connect from off campus, or devices without a logon interface (e.g., printers, laboratory sensors, etc.).

Visitors without SF State credentials can connect to the SFStateGuest wireless network.

How do I prepare for NAC?

To ensure that you will be able to successfully connect to the campus wired network from all locations, you need to install the ClearPass OnGuard agent on your computer. The SecureW2 installer automatically installs ClearPass OnGuard and applies the settings that allow for authentication.

A SecureW2 Installer for Linux is available. However, SF State can only provide limited Linux support.

Note for IT Staff: All devices with static IP addresses should have a registered DNS entry prior to NAC implementation. Unregistered addresses are likely to be re-assigned.



What are the NAC exceptions?

Uniprint release stations, laboratories, kiosks and physically secured locations are not included.

How does NAC affect laboratories and public computing spaces?

Labs will be excluded from NAC.

How often will I need to authenticate?

ClearPass OnGuard creates a session that will last for 12 hours. Re-authentication should happen automatically if the credentials used remain valid.

When should I install ClearPass OnGuard?

The installer is currently available for download and install.

How do I know if my static IP has a registered DNS entry?

Please review the list of registered DNS entries (PDF). For addresses that are not listed, please use nslookup to verify. If you have further questions, please email

What areas are affected by NAC?

Please review the list of affected ports (PDF) - updated 6.29.16. To view PDF files, please download Adobe Reader.

Are the ports in non-public areas affected by NAC?

At this time, the implementation of NAC is in public areas only.