A lot of NAC solutions include optional enforcement. Even if you start out with an evaluate-only type of NAC deployment, you probably eventually want to enforce NAC policies in the network.
Look at the NAC solutions that you are evaluating to determine what methods of enforcement are included and how they fit with your organization's short and long-term goals for NAC. Several options for enforcement allow greater flexibility and more capabilities from NAC. These options include
Switch-based enforcement
Inline devices or appliances
Endpoint or client-based enforcement
|
The closer to the endpoint you position enforcement, the more control you have over what the device can see. In a perfect world, you'd enforce policies everywhere possible:
The endpoint itself
The access layer switch
An inline device in front of your protected resources