NAC keeps machines that don't meet security policies off networks, but what those policies ought to be can be one of the trickiest parts in a NAC deployment.

Most end user policies will make sure operating systems are patched, antivirus software is updated and firewalls are turned on. Some groups may need the banning of certain applications. Some groups - executives - may need the kid-glove treatment. They don’t want NAC to inconvenience them and they have the clout to demand it.

Enforcement options include logging violations, warning users they need updates, alerting network security staff, demanding remediation and blocking access.

The number of things that can be looked for and what can be done about it makes for a large matrix, which bodes well for creating sets of NAC policies that meet most actual use cases. Toss in policies triggered by the access method being used - managed machine, unmanaged machine, access via VPN, access via wireless network - and the options grow even greater.

Which policies should be applied to which employees needs to be carefully considered. These are business goals and cannot be determined by the IT side of the house alone, so the policies must be created in concert with business units.

And that should be done before deciding what NAC products are appropriate so customers can be sure the product chosen will deliver all the policy options called for. If the policies call for autoremediation, the gear needs to support autoremediation.

Business-unit consultation should be carefully planned. IT leaders should educate the business members of the team by presenting a comprehensive description of what NAC can do. Once they understand the possibilities, then they can formulate policies.

Only then it is time to go shopping armed with a list of policies that must be enforced so the gear purchased winds up being a good fit. (Compare NAC products)

Tim Greene is senior editor at Network World.