NAC is often touted as a good tool for dealing with the security of laptops brought into organizations by guests and contractors, but it has its shortcomings.

A device managed by another business that comes into a corporate network is often unlikely to accept a NAC software agent from the corporate NAC server. In such cases, the NAC server can try to download a dissolvable agent or do a scan with no agent.

If no agent is used, the scan may not be considered thorough enough to warrant granting extensive network access. In such cases, the host network may decide the best policy is to grant very limited access, such as Internet access from a restricted virtual LAN.

That would not do for consultants who need access to critical network assets in order to do their work. In such cases the IT security staff from the host company and the consultant company will likely have to get together to hammer out a compromise.

For instance, from the consultant point of view, what kind of NAC agent is acceptable? From the host network point of view, what standards will the consultant be held to? If the corporate standard is to have an updated McAfee antivirus client and the consultant firm uses Symantec, how will that be resolved?

The visiting company has other legitimate concerns. It is likely to want guarantees that any NAC software - dissolvable or not - be guaranteed not to damage its machines. Frozen laptops could cripple consultants, and they are likely to want payback if theirs seize up because of an unanticipated problem with NAC software.

None of these problems is insurmountable, but plan to negotiate with partners that need extensive network access and to develop legal agreements about their network use.

Tim Greene is senior editor at Network World.