NAC vendors live in interesting times, it seems. Last year, ForeScout's marketing VP Ray Wizbowski was marvelling that - according to his research - at least 86 companies claimed on their websites to be in the business.

Now he reckons that the number is down to around 15, "and of those, only five or maybe seven are actually relevant."

So what's changed? Partly it's consolidation, he says, but it's also a realisation as NAC becomes better understood that a lot of the technologies that tried to ride the NAC bandwagon in the early days really aren't NAC.

"You had companies coming from all backgrounds and using technology that wasn't well suited, such as SSL VPN," he declares. "That's not NAC and it's not flexible, that's a point-to-point connection.

"There were also some from vulnerability management - they could do the assessment part, but not the enforcement."

He adds: "I think there is something specific to NAC that isn't just bundling technologies together - there is a business problem that you have to look at."

The shake-out also reflects NAC's maturation from the bleeding edge of technology to the leading edge of the mainstream, he claims - he says it's now being taken up by large enterprises, at least in areas that are traditionally early adopters of technology, such as the trading floors of big financial companies.

Having fewer options and a bit more clarity has helped there, he admits.

"Almost every technology I've been involved with in my career has had some kind of 'religious debate," he says. "NAC is beyond that, though there is one area still in debate, and that's in-line versus out-of-band.

"The challenge with in-line is the power it needs. Two companies in particular - ConSentry and Nevis - have built their own hardware to deal with that, but now I see them moving away from NAC appliances towards building secure switches for when you're replacing your infrastructure."

He acknowledges that's a worthy aim, not least because being in-line can give absolute control over the data flow, but points out that not everyone is in a position to renew their switches - plus it means a lot of NAC boxes to look after.

"We don't want to require the customer to change their infrastructure," he says. "Sure, it may be harder to enforce policies on older Layer 2-only networks, but we have our Virtual Firewall, which is a fancy name for TCP reset - it's a very clean way of enforcing policy."

As with so many technologies, Wizbowski estimates the UK is around 12 months behind North America in NAC uptake, but notes that network and security admins in the large enterprises who're now getting interested already know the subject well.

He says that the companies he meets are the ones that have already decided that Cisco - traditionally seen as the easy route - is a non-starter and that they need to look elsewhere.

"Cisco NAC is too expensive, it's too hard to replace all your switches, and it's primarily based on 802.1X which is admission control only," so it can't control users post-admission, he claims.

Looking forward, he says that NAC will continue to mature and appliances will grow more powerful, as enterprises seek to do more with fewer boxes and as they migrate to 10Gig backbones - although he claims that the real issue for a NAC appliance is the number of concurrent connections, as few backbones generate anything like 10Gig of traffic.

"An important part is the level of interest from service providers in NAC as a managed service, where they offer to manage your NAC set-up for you remotely," he predicts.

And he adds: "We will see more consolidation in the next 12 to 18 months, as those players who aren't yet in the business either OEM or acquire solutions." Interesting times indeed...