A recurring theme among NAC customers is they use NAC endpoint checking sporadically. When a computer has been scanned and found compliant once, it is designated good to connect to the network for an extended period of time - a month is the timeframe that keeps coming up.

The reason customers give is preserving a speedy login for end users. Waiting to be scanned and waiting even longer to remediate problems found is too high a price to pay. The cost-benefit of time and complaints vs. the incremental security the endpoint check gives to the organization seems to favor keeping the scans to a minimum.

These customers aren’t cavalier. They aren’t abdicating their responsibilities to keep their networks safe, they’re just facing the business reality that end user frustration can be counter productive, both in IT costs and in user distraction from achieving business goals.

If the NAC endpoint checks are minimal, customers must use other means to protect their networks, either using post-admission NAC resources or other tools such as intrusion-prevention systems and strict asset-management enforcement.

This reduced frequency for endpoint scanning seems to work for students at universities and for wired desktops at corporations, according to NAC implementers. In practice both these populations prove stable enough that they don’t cause severe enough problems that would call for more stringent scrutiny.

But the relaxed posture is not extended to guests, contractors and vendors, who are a less known quantity and whose patience is required as a cost of doing business.

Tim Greene is senior editor at Network World.