This has taken me a bit of time. I tried to put aside all of the hype and advertising running about in my head and come up with a good reason for NAC.
And without all the hype and such it wasn't easy. A short time back I asked a bunch of CISSPs "Are Firewalls Really Necessary?" and I see a similar question has popped up about anti-virus. I think its good to go back and question the holy assumptions made in the past. And those holy grails of the future. I got some interesting answers to my question and the antivirus debate is heating up nicely.
When I am in doubt I turn to my collection of wisdom, quote I have collected over the years made by guys a lot more interesting than I and a lot more wise. I hope. One of these sages is Kevin Kelly. My university lecturer was a fan of KK and we actually had to learn his rules of god for our exams. Anyhow, Kevin Kelly said "More is more than more, its different".
What does he mean by this? How does this relate to NAC?
Take a PC and put someone in charge of it. No problem. Add another PC. No problem. At some stage the guy will have too much work, so add another guy. No problem. Add a few more PCs and a few more guys. At some stage you are no longer dealing with a few guys and some PCs. You are dealing with a Corporate Network and an IT Department.
It is at this stage that the whole takes on a life of its own. Now, Kevin Kelly encourages you to embrace this sort of chaos because something amazing may come out of it. Look at the wikipedia. Noone planned something so huge and amazing would happen; likewise the Internet. Maybe I am talking about Web1.0 and Web2.0 and when Web3.0 happens it will come out of the chaos that is the Internet and totally take center stage.
If you are trying to innovate by all means embrace the chaos. But if you are in charge of a computer network the chaos could produce a new way of working that will boost your company to be a leader in its field but could more likely boost your customer list to your competitors or innovate your 5 years of financial documents into meaningless junk.
NAC is about control. Hence the name, I guess. And really, its not a product, its a mindset. If you like you can limit connections by MAC address on switches - you always have been able to. You could have a big guy that walks around unplugging PCs that have no business being on your network.
Without even going into the whole "is the antivirus up-to-date, is the box patched" functionality I think it is important for a security officer to be able to say "All users on the network are authenticated."
Then he could go on to say "All the PCs on the network are up-to-date with the controls I need them to have to make sure they behave themselves".
There will be issues in doing this and I don't see the point in having security-through-obscurity which is what DHCP NAC seems to be, there needs to be a chokepoint and it needs to be the switch which is the closest trusted piece of equipment to the user. Their PC is closer but it is not trusted.