The NAC border has some backdoors
At one side you have the dangereous environnement of the internet and the numereous new ways to attack machines for which there is no protection yet. At the other side you have the pressure from management and the workers to be able to work on your network outside the office and after or before office hours. In the meantime you will have to guarantee that there will still be a network and that it will stay more or less secure and that only authorized personnell has access.
Cisco has developed for this a server based upton the Network Access Control. The principle is that even if you have the credentials, you can only access the network if your pc has an antivirus, all the patches installed and a firewall. But CISCO made some mistakes while designing the process. This gave the opportunity to create code with which you could pass this networkguard without much difficulty.
The most important part of the attack is that it is possible to spoof the information the Trust Client sends to the server about the configuration of the machine. It seems it is possible for all clients to send only the spoofed information they received to their servers and not the real information. After that they were able to bypass the system because no other authentification was asked. It is also impossible for the moment to integrate the Cisco architecture with other standard authentification systems.
NAC is just a start, but for CISCO it was a false one.