The answer to this question really depends upon how one interprets what NAC's ultimate billing is, and from whose perspective you are assessing its value.
If one's expectations of the current generation of NAC products is to "detect and possibly prevent inadvertent pollution of network resources by authorized users using managed endpoints," then I would say NAC is close to meeting those goals, and in some cases doing a very good job.
If, however, one wants NAC to secure networks from both authorized but inadvertent polluters, as well as detect and prevent hostile unauthorized entities from gaining access to network resources across the enterprise, then NAC is not there yet, and perhaps never will be -- at least in its current form.
The reality is that we've seen NAC become the evolutionary road marker for many companies that were looking for new problems to solve with existing products such as intrusion prevention systems (IPS). Add vulnerability scanning, a quarantine function and some pre- or post-authentication configuration validation mechanism to an IPS and poof! ... instant NAC. Not quite.
We have seen some very robust solutions come to market with the singular goal of displacing access switches by providing "secure" network access where endpoints connect to the network. The problem is that in many cases displacing existing switching infrastructure isn't in the cards, and the ubiquity of access mechanisms, platforms and distributed resources make this a very difficult proposition.
Further, competing "standards" put out by some leaders in the network and operating system arenas have often delayed or outright confused customers from even pursuing NAC as a viable option.
That said, there are also some excellent solutions from vendors that are very clear about what their NAC products deliver, and in many cases have delighted customers by fulfilling these expectations. Some of these companies have gone so far as to leverage their solutions by partnering and/or OEMing their technology with network infrastructure routing and switching products to ensure compatibility and integration.
The truth is that what NAC delivers today and what IT managers hope it will ultimately evolve to become are often not aligned. Many, including myself, envisage that much of the functionality present in NAC offerings today will become features embedded in the network routing and switching infrastructure over the next few years.
If your client has a need today that a NAC product can cost-effectively solve that otherwise is not addressed in other offerings, and you can deploy it in a manner that does not require a major rearchitecture of your network, operational procedures, users' behaviors and integrates with their infrastructure seamlessly, NAC may be a solution to investigate.
However, set the expectations accordingly and ensure that the results customers desire are within the scope of what the product can -- and was designed -- to deliver.
This was first published in March 2008