NAC with BYOD

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
We are looking at a non-domain joined device BYOD policy. We have an Extreme NAC. I want to limit one device to one person not having it open slatter. I could do this by importing a MAC list into the NAC but with MAC addresses being easily spoofed this may not work.
Any ideas how to achieve a BYOD, one non-domain device per person?
Photo of Frank

Frank

  • 290 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
Even tho it is a non-domain device, are you using LDAP for user creds for them to log on? Also, are you doing this via web portal.

If you are using a web portal and LDAP for auth, you can limit one device per person. If this is an open auth Guest Portal, There is no way to limit the user since they can use a different name every time.
Photo of Frank

Frank

  • 290 Points 250 badge 2x thumb
Had to think about this. Sorry for the silly questions. I am new to the NAC setup.
If I did use the web portal and LDAP. This means there is a way to match the user ID to a MAC address via a pre list to validate auth to the wireless? If the MAC address is spoofed then they would be denied access to the wireless?
(Edited)
Photo of Keene, Scott

Keene, Scott, Employee NMS/GTAC

  • 1,542 Points 1k badge 2x thumb
Hi Frank,

So in NAC you can have a rule in the Rules Engine that contains LDAP User Group criteria (that keys off the username) as well as a list of MAC Addresses (End System Group criteria), so if the user registers on a device that is in that MAC list, the re-uath that occurs after the portal login should result in matching that rule.  If you then use the same username/password on a device that is not listed in that End System  Group, a second rule below the first one can be matched and setup to do something different (more restrictive policy assignment).

If you are worried out the MAC spoofing then this may not be a valid solution for you, but also keep in mind that NAC would be limited in methods of determining if the host is a domain-joined machine if the underlying Authentication Type is MAC Auth rather than 8021.x.


Regards.
Scott Keene