Network access control is a simple idea: Authenticate every user connecting to the network, then enforce an access-control policy based on who they are and other information, such as endpoint security checks and wired vs. wireless access method.

After writing an architectural overview of NAC for Network World and testing NAC products at Interop last month, I’ve been exposed to the good and bad parts of NAC.

I'm enthusiastic about NAC, but I'd like to devote some time to the devil's advocate view of the technology. Specifically, NAC has five major failings:

Endpoint security checks work only when you need them least. When you need them most, they leave you high and dry. A NAC strategy based on checking endpoint security works great for managed laptops and desktops, but (according to our testing) not so well for people coming into the organization - the folks you have the greatest security concerns about. If you're doing NAC to check that strangers have virus scanners loaded, you're doing it for the wrong reason.

Generals are always preparing to fight the last war, not the next one, and NAC is the same way. A lot of the NAC rhetoric is reactionary - worrying about last week's threats. That's useful, but in reality we haven't had a huge, networkwide virus meltdown in a couple of years. That's because we're getting better at preventing these kinds of things. Sure, it will happen again, but the frequency and severity are dropping. Which brings us to . . .

The ROI on NAC is a big unknown. NAC is a lot of work. Even if your network infrastructure is ready for NAC, getting it into place will not be cheap or easy. Is it worth it? You should probably calculate that before going down this path. There are lots of other ways to spend your security dollars. Maybe some will have a better ROI. Or maybe not.

Too much information is sometimes just too much. One of NAC's benefits is that it gives you the opportunity to set a policy for every user. The problem is organizations that are paralyzed by the concept of policy definition or don't know what is going on with their networks will not suddenly be able to come up with per-user or per-group NAC rules. You can use NAC in its most primitive, "on if you authenticate, off if you don't" mode, but if that's all you want, save yourself a lot of bother and try a simpler solution.