NAC involves verifying the integrity of a system before granting it access to a network. This might involve checking that anti-malware is up-to-date, the OS is patched and that group policies have been applied. The aim of this is to stop attacks on new systems as they join a network and to protect a network from compromised systems.
NAC is generally enforced by client software, which is now included in XP and Vista (but called Network Access Protection), with the latest round of service packs. Security vendors such as Symantec, McAfee and Sophos have also have packages released to market.
This approach to network security seems much more comprehensive and seamless than using combinations of software, group policy, scripting and user priviledge control, but increased security always comes at a price.
One of the greatest difficulties with implementing NAC is the challenge of authenticating and monitoring non-PC devices such as VoIP phones, network printers and IP security cameras. While exceptions could be made based on IP or MAC address for such devices, if a rogue system spoofs these addresses, NAC could be bypassed. Developing secure ways to authenticate and verify the integrity of such devices will not be a trivial task.
Challenges aside, this is a promising technology for enhancing the security of any network.
Read more about NAC here.