Alan DeKok <aland@deployingradius.com>:
NAC is largely dead. If the end system is up to date, then it's as secure as we can make it. If the system isn't up to date, then it should be brought up to date.
...which is why the only thing we are really expecting NAC to do is: ensure the system auto-update feature is on, ensure AV is installed and up to date, and ensure the local firewall is on. Given that, we are still using in-house scripts, because unless the NAC agent is ready to roll when the next OSX or Windows release rolls out and unless that NAC agent also helps us install VPN and WiFi profiles, it is more trouble than it is worth. (Well, unless you ask the guy who has to update the in-house scripts, but his perspective is a bit biased :-) That said, not all OS vendors are completely on top of every zero day, so if you have information they have not reacted to yet and can demand a tweak on the client machines to temporarily work around it through the agent, that's a worthwhile capability to aspire to.