Ideally, NAC addresses machines connecting to networks via wired, wireless and remote access connections, but not all users need all three areas addressed.

One user says he implemented NAC specifically to address remote users coming in over the corporate VPN. “We had no device that could check the status of devices that were plugged into the network,” he says.

The main concern was that the remote devices in particular, which in many cases were not managed by the company, would introduce malware into the network. The business is relying more and more on employees that work from home and contractors hired for projects.

The company chose a product that gave it both pre-admission NAC endpoint checking as well as post-admission behavior monitoring. The behavior monitoring also came with the ability to enforce behavior that violates policies. While the endpoint checking alone doesn’t guarantee a machine is uninfected, it does reduce the chances that it is.

A side benefit of the NAC capabilities was that the business now gets a better view of traffic on the network - who is accessing what resources and tying that to time and method of connection.

One attractive feature of the gear he chose was that it didn’t require carving up the network into virtual LANs for every policy group. The NAC device itself enforces the policies.

The user notes he found more than one vendor that met his NAC specifications, and he chose the one that was least expensive - something that no doubt won praise from the bean counters.

Tim Greene is senior editor at Network World.