Enterasys is issuing a new version of its NetSight management suite that lets its NAC system set policies for unmanaged devices such as guest laptops.

With NetSight 3.0, the company's NAC Manager software now supports MAC-address registration tied to user identity as a criterion for applying policy.

This lets enterprises divert the laptop of a guest or consultant who is trying to log into the network to a Web portal, where the user would be queried for information that can be paired with the MAC address of the machine.

A guest might be granted just Internet access if the MAC address is unknown or the user ID is unknown. Alternatively, the device might be allowed onto a restricted VLAN if a trusted sponsor -- an authorized company employee -- enters a valid user name and password.

Vendors such as Bradford Networks and Great Bay Software have means to use MAC addresses to apply NAC policies to unmanaged devices that may include printers and IP phones.

This option is primarily for guests, contractors and other people who use computers not issued by the corporation, and allows known, validated employees to vouch for visitors.

Enterasys also is introducing Assisted Remediation Server, which automatically refers machines that fail NAC preadmission scans to a server where they can be patched to address whatever shortcomings the scans reveal.

A device that fails the initial scans is sent to a Web portal, which displays what steps the user should take to remediate the problem. Before, Enterasys did not have a remediation mechanism.

In addition, Enterasys now supports postadmission NAC by blending features of its new Automated Security Manager with its NAC Manager platform. Postadmission NAC monitors devices that have been admitted to the network and can restrict their activity if they violate behavior policies.

So when Automated Security Manager is notified by intrusion-detection systems of behavior that violates such policies, it passes details of the violation along to NAC Manager. In turn, NAC Manager enforces policies to address the unauthorized behavior. The device can be quarantined until the unauthorized behavior is shut down.

For example, if a workstation starts serving FTP files, it could be quarantined and the user directed to shut down the FTP server in order to be readmitted to the network.

Other NAC vendors such as ConSentry, ForeScout, Mirage and Nevis Networks push postconnect NAC as a strength of their products.

InSight 3.0 also introduces Policy Control Panel that lets nontechnical users modify standard policies to better control access in certain environments. At a school, for instance, a teacher could be given control of access policies to block the use of instant messaging in a classroom for a certain time period.

In this example, the policies the teachers would control are limited and set by a network administrator, and the teachers could not create policies of their own, Enterasys says.

Policy Control Panel is sold separately and costs US$11,995 on a Web server appliance. The rest of the upgrades come with InSight when bought new and with InSight service contracts.