One good way to classify NAC products is to ask the question “Where is the evaluation step done?” This simple question divides NAC systems into three groups:

• In-Band - Most NAC appliances do evaluation and enforcement in one box. Nice and simple! The downsides are cost and scalability. If you want to do enforcement at the edge of your network (which is better from a security standpoint), you must buy a lot of NAC appliances (often one to replace each edge switch). Still, in-band NAC is popular with customers who have a small network or only need NAC in one part of their network.
• Out-Of-Band - Larger NAC vendors often use an out-of-band NAC architecture. Evaluation is done by central NAC servers and enforcement is done by separate network devices, such as switches or firewalls. If your existing network equipment can be used for enforcement, this approach can be much more economical than an in-band approach. Another advantage of out-of-band NAC is that one central NAC server can integrate with multiple enforcement points and other security devices for greater security and efficiency: evaluate once, enforce many times. As for concerns with out-of-band NAC, the NAC server must be rock solid and scalable. Otherwise, network access will grind to a halt.
• Endpoint-based - Doing evaluation on the endpoint is attractive because it’s so cheap. No network equipment needs to be changed. Unfortunately, it’s not very secure. Really, it’s just an honor system. You must trust the endpoint to evaluate its own identity and health and decide what level of access it should get. This doesn’t pass the sniff test.

I hope this simple analysis provides some insight into the pros and cons of different approaches. Which approach looks like it will work best for you? Write me a comment and let me know.