Recently a user of ForeScout NAC gear said he's had the equipment in place for more than a year and doesn't have it enforcing NAC policies yet, but still finds the device worthwhile.

He uses its IDS capabilities extensively and its network discovery support to find out what devices are on the network and what switch port they are plugged into. And he uses the NAC endpoint checking to make sure software is updated.

Other products perform some of the same functions, and he uses some of them, says Chad Clement, the network security manager for Haworth. The company uses Altiris client management, Shavlik NetChk configuration checking software, Qualys vulnerability management and BMC Remedy service management. But they supplement and integrate with the NAC gear to act as backup to each other.

The long-term plan is to have the NAC gear enforce policies and direct users to remediation of the shortcomings that a NAC assessment finds. But he says he was being sensitive to the end-user experience. Being diverted to a portal where you are instructed to update can be aggravating to end users. So can blocking large numbers of machines all at once.

He has decided to take a slower approach, having the NAC gear send him notifications that he passes along to desktop help staff to have the devices upgraded into compliance. It’s a longer process but it causes less disruption. When NAC policy enforcement is turned on, there will be fewer non-complaint machines, so the pushback from users will be less, he says.

Other NAC customers say similar things about using the equipment to backstop and supplement other management and security applications, and not just those using ForeScout gear. It’s not what you’d buy NAC for primarily but it’s an added benefit. (Compare NAC products)

Tim Greene is senior editor at Network World.