Symantec is coming out with a new on-demand NAC client to go with its NAC appliance that brings features of the client more in line with the company's permanent NAC client. (Compare NAC products)

Like the full-time agent, the new on-demand agent supports 802.1x authentication, enabling out-of-band enforcement of NAC policies.

The new agent allows guests to do Web login where their machines are diverted to a guest virtual LAN (VLAN) when they attach to the network, and then see a Web portal page where they can be asked to log in.

A agent is pushed to the guest machine as an Active X, Java or Mozilla plug in. The agent can also be sent to the machine as a .exe file. Once authenticated, the machine is assigned to the appropriate VLAN as determined by an on-board policy store in the Symantec appliance or by an LDAP directory.

The on-demand agent supports scans for antivirus software (Compare antivirus products) being turned on, registry checks and the like. The new agent is available for both Windows and McIntosh machines, but the Windows version has the ability to scan endpoints for more posture checks than the McIntosh version.

The agent can trigger automatic remediation of machines that flunk NAC scans, but that is an unlikely scenario, Symantec says. Guest machines managed by another firm would likely be unavailable for another company to tinker with.

When users log off, the agents dissolve from the host machine.

New software for Symantec’s NAC appliance supports VLAN trunking, so if, for example, one of the boxes is fed by a VPN concentrator that is passing through traffic for more than one VLAN, a single Symantec appliance can handle it. Before, each VLAN would require its own appliance.

Tim Greene is senior editor at Network World.