I would challenge the "AD is NAC in and of itself" statement also :-) AD is system access control, not network. " [PM] Technically you are correct, but I think you have to step back to the purpose of NAC, then look at how AD can serve the purpose.
This of course makes the assumption that the AD machines are locked down, and in that case I think it is better than NAC. In my mind NAC is used for: 1) Network Access Control 2) IP to user tracking 3) Posture checking of the endpoint to either insure that it is secure. While AD isn't technically network access control, you still can't get on the network until you log into AD, and is there anyone that you would want on AD that you wouldn't want to also provide access to your network? If you can lock down an AD machine with the correct security posture, and prevent people from installing potentially harmful apps, aren't you doing pretty much everything most NAC systems can do and in some cases more? Pete Morrissey ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
