McAfee is adding hardware enforcement to its NAC offerings by adding NAC software to its IPS appliance.

The company says the addition will give customers a way to enforce policies on unmanaged devices on networks, such as guest and contractor laptops that don’t carry the McAfee NAC agent software.

As these devices are detected by agents deployed around the network, NAC policies can be applied to them by the IPS. Before this, McAfee software could check endpoints for compliance with policies pushed down to them from a central server. Enforcement took place on the endpoint. If the endpoint came up short, the McAfee NAC agent itself would restrict network access of that machine.

With hardware enforcement the IPS can become the enforcer, blocking devices access to any but designated network resources.

McAfee says that early next year, it will ship a NAC-only appliance that enforces the policies but does not perform IPS functions.

There is already quite a range of hybrid hardware/software enforced NAC available, so McAfee isn’t breaking new ground functionally. It does, though, offer common management of all its security policies via its ePolicy Orchestrator platform.

That is a difference that should not be ignored, especially by businesses that are already McAfee shops. Adding NAC software to a McAfee IPS that is already in a business network may be an inexpensive way to add control over unmanaged machines that doesn’t require a big learning curve for administrators who will have to manage the capability.

Customers shopping around for a new endpoint-security vendor or IPS vendor may also find this new capability attractive. Even if it isn’t part of an initial purchase, it leaves an option open for adopting NAC without a huge additional investment. (Compare NAC products)

Tim Greene is senior editor at Network World.