More and more IoT terminals are deployed in the enterprise Intranet, bringing tremendous pressure to network security management. Accurate identification and effective network access control of IoT terminals are the premises to ensure the security of IoT. Based on analyzing the advantages and disadvantages of the existing schemes, this paper proposes a network access control scheme based on active scanning for the IoT terminals which access the network via Ethernet or WIFI. Firstly, the scheme identifies illegal terminals by periodically sending probe messages to the IoT devices and comparing the information extracted from the returned data packets with the existing terminal baseline information in the system. Secondly, the scheme blocks illegal terminals by SNMP protocol. Through our scheme, the network access control and continuous compliance monitoring of the IoT terminals can be realized without any plug-in or program installed. What's more, our scheme can effectively prevent IP/MAC spoofing attacks. We deploy and validate the scheme in a real campus network.