If you have a Windows desktop or laptop and you go away on holiday for 2-3 weeks, when you come back your device may need multiple updates. After a remote client has authenticated NAC, it then checks that the device being used is fully patched. See Figure 18:

When the user is authenticated, the health authority (HAuth) checks against the registry of the client device to ensure that it is fully patched. A fully patched machine is deemed compliant and allowed access to the LAN. In the preceding diagram, Laptop 2 is compliant. If the device is not fully patched, it is deemed noncompliant and is redirected to a boundary network, which could also be known as a quarantine network. The components of NAC are:

• Host health checks: The HAuth checks the health of the incoming device to ensure that it is fully patched.
• Compliant/noncompliant device: A device that is fully patched is a compliant device, but a device that has missing patches is deemed noncompliant.
• Agents: Each device has an agent installed so that the Health Authority can carry out health checks. The two types of agents are:
  • Permanent: The agent is installed on the host
  • Dissolvable: A dissolvable agent is known as temporary and agentless and is installed for a single use

• Remediation server: Sits on the boundary or quarantine network. When the noncompliant machine is connected to the boundary network, it can obtain the missing updates from the remediation server. Once the device is fully patched, it is then allowed to access the LAN.