Assessment is a key part of any NAC system: gathering data about the endpoint and the user before an access control decision is made. There are so many different ways to do assessment. Let’s take a look at them.

• Agent - Placing permanent software (an “agent”) on the endpoint allows security checks to remain in force even when the endpoint is not connected to the network. However, many companies and most guests are reluctant to install a permanent agent.
• Web-based - A lightweight solution for guests and others is to download a bit of software (ActiveX or Java) through the user’s web browser and do a quick scan of the system. However, there are many limits to what this scan can check.
• None - How can you scan an endpoint without any software on it? There are several options. You can probe it from the network (port scan or RPC) or monitor its communications (passive assessment). For some devices like printers, this is the only option. The security provided is less than can be obtained with other methods. Still, probing and monitoring are valuable techniques that should not be underestimated.

As you can see, each of these options has its pros and cons. Many NAC systems these days offer all three choices, allowing administrators to use different client software for different users and devices.