.. _check-nac-enforcement:

How to Check When Blockage by NAC is Suspected
====================================

This guide explains how to check if network communication failure on an endpoint in a NAC-operated environment is related to NAC.

Genian NAC primarily controls endpoints in two ways:

- Control via Network Sensor
- Control via Agent

Methods for checking each control type are provided.

**1. Control via Host Sensor**


  - How to check when an endpoint is controlled via Network Sensor
  
  1) Open the endpoint's terminal window and perform a PING check to the Gateway IP.
  2) If the PING to the Gateway IP is successful, it is not a situation where the Network Sensor is controlling.
  3) Additionally, open the endpoint's terminal window and check the ARP cache table.
  4) Repeatedly confirm if the MAC address matched with the Gateway IP has changed to the Network Sensor's MAC address.
  5) If IPs unrelated to the Network Sensor in the ARP cache table have not changed to the Network Sensor's MAC, then the situation is unrelated to NAC.

**2. Control via Mirror Sensor**

  - When controlling via a Mirror Sensor, ICMP communication with the gateway is performed normally. Therefore, do not judge using the control method for a Host Sensor.

  1) Open the endpoint's web browser and attempt web access. (Web pages other than Google, Naver are recommended.)
  2) Confirm whether the CWP page URL and screen are displayed on the browser.
  3) Please check when ICMP communication is normal in most sections, but WEB communication is abnormal.

**3. Control via Agent**

  - There are various ways to control an endpoint via the Agent, but in this situation, we only check for network communication issues.

  1) Go to Start button > Settings > Network & Internet > Change adapter options > Check if the primary network adapter is grayed out (disabled).
  2) If it is not in a disabled state, then Agent interface control has not been performed.