Network Access Control (NAC) Logs

NetworkAuthentication & AccessSIEM / Log Aggregator

Location

NAC platform logs (Cisco ISE, Forescout, Aruba ClearPass, PacketFence)

Description

Network Access Control platform logs recording endpoint posture assessments, 802.1X authentication results, VLAN assignments, device profiling classifications, guest access grants, and quarantine actions for non-compliant devices.

Forensic Value

NAC logs provide device-level network admission decisions that prove whether a specific endpoint was authorized to access the network and what level of access it received. Posture assessment failures indicate endpoints missing patches or antivirus that may have been exploitation targets. VLAN assignment logs map which network segment a device was placed into. Device profiling classifications identify device types connecting to the network. Quarantine events show when compromised or non-compliant devices were isolated.

Tools Required

NAC Admin ConsoleSIEM (Splunk, Elastic)Cisco ISEgrep

Collection Commands

Cisco ISE

curl -k -X GET "https://<ise-host>/admin/API/mnt/Session/ActiveList" -H "Accept: application/xml" -u admin:password > ise_active_sessions.xml

Splunk

index=nac earliest=-30d posture_status=non_compliant | stats count by endpoint_mac, endpoint_ip, posture_status, vlan | sort -count | head 50

PacketFence

pfcmd node view all | grep -E "status|mac|ip|category" > packetfence_nodes.txt

MITRE ATT&CK Techniques

T1078T1200T1557T1562.001T1016

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical