Bruce,
Out of curiosity, how do you prevent a client from gaining access via
MAC spoofing? With Cisco NAC we have the option of putting users in
the Filter list with "Check" selected. This will bypass user
authentication and will only perform client remediation. We looked
into this option with a registration portal that would automatically
create these filters for us but our security team put the kibosh on
this as they were concerned unauthorized users could gain access by
spoofing a MAC of a previously registered machine.
Michael Simpson
Network Engineer
Utah Valley University
On Jun 26, 2010, at 3:09 AM, Osborne, Bruce W. (NS) wrote:
Dennis,
We moved from Cisco NAC to Bradford a couple of years ago. We set
up our system based on MAC address authentication. The client only
needs to register once per semester. Our main user complaint with
Cisco NAC was the need to login to NAC every time the connected to
the network. If desired, Bradford can be setup to require this too.
For mobile devices specifically, the Bradford system generally
allows them to register only, rather than requiring the agent
download. The Device and OS recognition are either updated through
the regular definition updates or through patch updates to the system.
Sometimes we need to register new devices manually until we patch
our systems. Until recently we needed to manually register iPads and
Android phones, for example. Our current version supports both.
Our registration records expire after 60 days of inactivity so we
can reclaim NAC licenses for reuse.
I understand that Perfigo originally designed what became Cisco NAC
as an authentication system for wireless networks. The NAC features
were added later. That may be why authentication is generally
required on every connection.
Cisco makes some great products. We are generally a Cisco shop for
networking and telephony, but we found wireless & NAC solutions from
other vendors better meet our needs.
Bruce Osborne
Network Engineer
Liberty University
-----Original Message-----
From: Dennis Xu [mailto:[email protected]]
Sent: Friday, June 25, 2010 10:09 AM
Subject: Mobile devices and NAC
Just want to check how other people deal with mobile device with
NAC? We use Cisco NAC and configured "not require agent" for mobile
devices, but the problem is they have to open the browser first
(even they have already been authenticated using 802.1X) to become
online users in NAC before they can use any other applications(email
clients, calendar, etc). Cisco NAC detects the user O/S after user
opens the browser. So no browser open, no other network connectives.
This has caused many frustrations. How do you make the mobile
devices work with NAC without these pains? If you use MAC filter to
bypass NAC, how do you manage and maintain the filter list? Any
suggestions are appreciated!
Dennis Xu
Network Analyst
Computing and Communication Services
University of Guelph
5198244120 x 56217
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at http://www.educause.edu/groups/
.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
