NAC solutions today are quite often not overtly complex in their goals or implementations, but might also be considered relatively simplistic in their enforcement capabilities. From our perspective we also see NAC implementations running into trouble by starting with a small set of requirements in mind, and remaining focused on those goals without considering the longer term impact of the deployment on a true security architecture - say a layered security model such as HP's Adaptive Networking Architecture.

Additonally, some of largest challenges facing NAC today are:

• Legacy or limited endpoint capabilities: While endpoints such as PC's and servers can run agents or respond to remote queries to determine their health, devices such as networked printers, phones, PDA's, game machines, cameras and so forth usually do not have the capacity or standard capability to respond to standard or even alternate NAC challenges such as web access redirection or 802.1x-based authentication. Therefore organizations implementing NAC usually end up using exceptions such as MAC or IP address authentication, or implementing Guest VLANs. Since MAC or IP address authentication can often be spoofed, it is important to consider carefully the security implication on a NAC deployment, and implement separate guest VLAN when possible.
• Politics: Like many projects, NAC has the potential to significantly change the way in which people will need to work when using networked resources. Initial implementations can fail if they create too complex remediation processes, or worse, force a user into a dead-end where they are unable to work at all. The commonplace example is a critical deal being lost because some individual could not get on the network to obtain or submit critical time-sensitive information. Make that person an executive and the example can often become more serious.
  Another political issue is bringing together desktop management, network management, help desk, and security teams to work alongside the business to ensure that policies do not conflict.
• Complex integrations: In order to successfully deliver NAC, it is required that all parties work well together. Today many vendors provide their own partner integration programs.
• Proprietary solutions: Today most vendors offer their own agent technology. Firstly the initial lack of common baseline functionality and standards has forced vendors to implement or OEM client agents that cannot work with other solutions. An ongoing disconnect between standards and proprietary solutions remains at the network level, which limits comprehensive innovation across the NAC management space, in terms of standard Integrations with tools such as SIM/SEM, change management, network management, and similar tools.
• Security vs. Policy: Introducing NAC agents to your environment can be a costly and complex exercise as there is the issue of creating an agent stack. Many NAC solutions offer dissolvable agents to mitigate this risk, however, as your NAC enforcement policies become more complex, the limitations of only using pre process checks against continuous checks (e.g. behavioral checks) will begin to force the need to for a permanent agent.

HP is working on all these areas through a combination of standards activities, partner integrations and advanced service delivery capabilities. In addition, HP ProCurve's unique identity and immunity solutions already provide advanced NAC capabilities across the network to the port and endpoints that are part of the evolving NAC environment.