The Interop Labs test of NAC interoperability showed little participation by vendors that support checking endpoints running Linux and Mac OS X.

This is a continuing problem for businesses that want to deploy NAC but have users whose machines are run by these operating systems. They can make accommodations to whitelist these machines, but that pretty much defeats the purpose of NAC, which is to assure that endpoints first pass health checks and only then gain network access.

Whitelisting them gets them on the network, but abandons the goal of having all network devices in the proper security state, the idea being that if they are compliant with the health policy, they are less likely to bring malware onto the network.

If they can’t find a suitable vendor that can support inspection of Mac OS X and Linux machines, they should look to alternatives that monitor the behavior of all devices and that tosses those that violate behavior policies into quarantine. The example used at Interop Labs is Great Bay Software’s Beacon Profiler, which can determine that a Mac OS X device, or Linux device or even and IP phone behaves like these devices ought to behave.

Of course it’s better to have the NAC system perform the endpoint check in the first place rather than trusting that post-connect monitoring can trigger a timely shutdown of badly behaving machines.

Support of all operating systems used on network endpoints is a feature that potential NAC customers should look for.

Tim Greene is senior editor at Network World.