The policy server checks for the presence of DNAC software and runs compliance checks. Non-compliant machines can then be quarantined and/or sent to remediation sites. If the end point doesn???t have the DNAC client software, the enterprise has a variety of policy options: download a full agent, use an on-demand Web-based agent, or restrict the end point???s network access.
DNAC???s clearest benefit is that it doesn???t require 802.1x, nor an upgrade to your switching infrastructure nor the purchase of NAC switches or NAC appliances, all of which can be expensive and complicated. It also helps address the problem of guest workers and contractors outside your administrative domain.
On the downside, Enforcers may be overwhelmed if they have to deal with a large number of non-compliant end points. Enforcers themselves may fall out of compliance and lose Enforcer status, which may result in an unmonitored subnet. InfoExpress says administrators can create persistent Enforcers to continue monitoring even if their own compliance status changes.
SSL VPNs on the Inside The second idea is to invert an SSL VPN and run it inside the LAN. Vendors such as Aventail, Array Networks and Caymas Systems are playing up the similarities between SSL VPNs and NAC. That???s because SSL VPNs already perform NAC-like functions for remote users: assess the health of the end point and enable policy-based access to applications.