When I tell vendors how I might go about bypassing their security features, I invariably hear statements like "we are not trying to solve that problem" or "we are trying to solve 90% of the access control problem," or "there is no 100% secure systems, you have to use layers." I have rejected those arguments for two reasons. First, solving the easy problems isn't hard and really doesn't necessarily improve your security position. Internal users trying to by-pass IT systems doesn't mean they are malicious -- it may mean your IT systems don't match business needs. Secondly, well-meaning insiders isn't really the threat to worry about. The threat to worry about is the malicious attacker who already is inside your building and attempting to attach to your network directly. Assume the attacker is savvy and you can see that you have a whole different problem on your hands.
Using NAC As A Training Tool
This is the heart of Boyce's article. When was the last time you even read your employee handbook or any user policies you were supposed to read? Have you read it recently? Heard it discussed around the water cooler? Probably not. IT and HR can publish codes of conduct, hold training classes, and put up posters, but employees will often not pay attention. They're too busy doing their jobs.
While talking with an administrator at a large university about NAC and what they were looking for, they wanted a couple of things. First, they wanted something they could automate so as not to add workload to their help desk. That was critical. They wanted a soft-touch approach where students (this was a student-oriented NAC project) would be given varying levels of warning and options before being cut off for infractions. And they wanted to send a clear message to a largely nontechnical audience about unacceptable behavior and conditions. In other words, they want to train the student body about network usage without having training classes or making students read long documents.
NAC can be a perfect tool in this situation. By using orientation classes where network usage is discussed along with NAC that assesses hosts conditions and offers solutions, the school's IT department is able to soft-touch students from an unacceptable state to an acceptable one in stages without burdening the help desk. They expect to solve 95% of problems with students' computers via NAC, leaving the remaining 5% to be handled through other means.