One of the major security threats facing University and other large-scale end-user networks, especially those supporting residential or dormitory accesses, are the thousands of privately owned and unmanaged computers directly connected to an institution’s relatively open, high-speed Internet connections.  Security policy enforcement is often lax due to a lack of central control over end-user computers and an inability to tie the actions of these computers to particular individuals. This talk will begin with an overview of various approaches for automating technical policy enforcement as a condition for network access in colleges and universities, including approaches which allow for host isolation into specialized networks, captive-portal-like remediation systems, and other forms of conditional network access. Following this overview, we will discuss a generalized description of how networks can enforce various use policies. This description will include a conceptual model of the network components, both in and out of band, that are required to determine a host's network access level as well as those configuration elements, specific to each component, that might allow or deny an end stations network access. The overview, description, and model are all based on the work being done as part of the Internet2 SALSA-NetAuth working group.