Network Access Control (NAC) Logs

networkAuthentication & AccessSIEM / Log Aggregator

Location

NAC platform logs (Cisco ISE, Forescout, Aruba ClearPass, PacketFence)

Description

Network Access Control platform logs recording endpoint posture assessments, 802.1X authentication results, VLAN assignments, device profiling classifications, guest access grants, and quarantine actions for non-compliant devices.

Forensic Value

NAC logs provide device-level network admission decisions that prove whether a specific endpoint was authorized to access the network and what level of access it received. Posture assessment failures indicate endpoints missing patches or antivirus that may have been exploitation targets. VLAN assignment logs map which network segment a device was placed into. Device profiling classifications identify device types connecting to the network. Quarantine events show when compromised or non-compliant devices were isolated.

Tools Required

NAC Admin ConsoleSIEM (Splunk, Elastic)Cisco ISEgrep

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical