This is just a continuation of our bad luck, or my bad choices, of NAC vendors. We started by installing StillSecure's SafeAccess three years ago. It mostly worked, but we weren't entirely happy. It used DHCP as the steering method, which didn't thrill me, but we had a mixture of Foundry and Cabletron switches in the field and that was all we could do.
Mac support, on the other hand, was a bigger problem given that we're an arts school and they couldn't test, or consistently identify, Macintoshes. As a result, we had to manually enter the MAC address of each Mac to give it a free pass. Luckily, we weren't hit with a massive Mac virus (No, Mac FanBoy, they're not immune, just ignored). A bigger problem was that it didn't have an agent for Vista. When we started the summer building season, it was telling us Vista support wouldn't be ready by September when the hordes of new freshman with infected machines come to campus.
So we talked to Bradford and Lockdown. Lockdown would give us a big enough discount we didn't have to put it out to bid (State Agency, after all) and Bradford didn't. Since putting it out to bid would make us miss having something in place for the beginning of classes, we went with Lockdown.
Everything worked like a champ when I had 10 PCs and 3 switches, but when I expanded to 500 ports the SNMP traffic was too much for the Lockdown box and the switch. Changing to port RADIUS was better, as was the enforcer with a Core 2 Duo, rather than original Celeron processor, but about 5% of our production users were getting left in limbo as the box couldn't see their port flap to test them -- etc., etc., etc.