While the computer is being checked by a pre-installed software agent, it can only access resources that can remediate (resolve or update) any issues.
The overarching goals of this concept can be distilled to: There are two prevailing designs in NAC, based on whether policies are enforced before or after end-stations gain access to the network.
A typical use case of pre-admission NAC would be to prevent clients with out-of-date antivirus signatures from talking to sensitive servers.
In some out-of-band systems, agents are distributed on end-stations and report information to a central console, which in turn can control switches to enforce policy.
However, there are products that are agentless, and have both the inherent advantages of easier, less risky out-of-band deployment, but use techniques to provide inline effectiveness for non-compliant devices, where enforcement is required.
When a user is denied access because of a security concern, productive use of the device is lost, which can impact the ability to complete a job or serve a customer.