>One of our goals is to have a very dynamic edge so that places where we might have printers or computer labs on static ports with port security can become NAC controlled and make migrating labs and overall device deployment that >much easier.
The MAC address/IP address filter feature DOES NOT WORK. It can filter ONLY by MAC address, and then you pretty much only get one choice of where those items go. The product does work pretty well for wireless stuff. The scan requires that you PURCHASE a Nessus feed at $2400 per box per year from Tenable if you want anything beyond the checks at log on provided by Cisco. If you use roaming profiles under Windows, log in is a hassle and you have to expose profile storage to the unsecure network. Support from TAC is as good as it can be given the nature of the product and the state of development. Others may feel differently but after 5 years of experience with this product, and heroic efforts by my rep to get me help, it is my impression that Clean Access (NAC) development is where they send developers as punishment or something and it is a graveyard for product management people. Insist on a test deployment before purchase. Really. It may suit you perfectly, but you really need to implement the features you want. Many do not work the way you think they do and there is some real quirkiness to this thing. We have kind of made it work here, but it wasn't easy and it does cause some issues from time to time that leave you shaking your head. Having said all that, many other NAC products from other vendors are worse. There are some lurkers on the list who have found alternatives they like better, hopefully, they will speak up so you can compare. Dan Sichel Ponderosa Telephone
