We have a similar situation with Impulse. The good news is that it does a great job identifying mobile devices and games as well for that matter, and excluding them from needing the agent. We do have problems with install pages occasionally getting displayed on all of our devices after the agent is already installed, but the OS detection works well. Since it does rely upon the Agent-ID, there is no way around the need to display a web page. We get this complaint a lot. The best solution would be to develop an agent for the mobile device. There is nothing stopping the NAC vendors from developing an "App" for iPhones/Touches for example. This seems like the obvious one as it appears to be by far the most popular mobile device, especially among students. I know it is the only device I hear complaints about related to this issue.
It is indeed possible to spoof the Agent-ID. We've tried it. However, because the device is using 802.1x, we still know who is associated with the device for security purposes. All the spoofing would do is keep them from having their security posture checked for Windows Update, updated AV software and FW. Our view is that if someone wants to go through the trouble to avoid that they are likely smart enough to know the consequences, and will likely be smart enough to address the security issues. If not, they deserve to live with the consequences. Ironically, we have plenty of security problems (ie malware hosed machines) with machines that are complying with all of our requirements as well. As far as I know, we have yet to have to rebuild someone's machine that was tagged by our IDS as having a security issue, that also showed up in our system as having a mobile OS or game OS. Our preference is to avoid having to maintain MAC filters which can also be easily spoofed. Pete Morrissey Syracuse University -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Dennis Xu Sent: Friday, June 25, 2010 10:09 AM To: [email protected] Subject: [WIRELESS-LAN] Mobile devices and NAC Just want to check how other people deal with mobile device with NAC? We use Cisco NAC and configured "not require agent" for mobile devices, but the problem is they have to open the browser first (even they have already been authenticated using 802.1X) to become online users in NAC before they can use any other applications(email clients, calendar, etc). Cisco NAC detects the user O/S after user opens the browser. So no browser open, no other network connectives. This has caused many frustrations. How do you make the mobile devices work with NAC without these pains? If you use MAC filter to bypass NAC, how do you manage and maintain the filter list? Any suggestions are appreciated! Dennis Xu Network Analyst Computing and Communication Services University of Guelph 5198244120 x 56217 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
