We are planning to set up authenticated registration for BYOD devices. Users will log in on the portal using their LDAP credentials to register the MAC addresses of their BYOD device(s).
As far as I know, registering a device actually adds it’s MAC address to a pre-defined End-System Groups.
When this devices accesses the network, it will authenticate using it’s MAC address.
We can configure an expiration timer after which the user needs to re-register the device(s), but we want to know if there is a way to automatically disable network access for these registered devices (=delete MAC from the end-system group) when a user leaves the company - i.e when the AD acccount is locked/disabled/deleted.
Another solution would be to have an expiration timer, which takes the last active time into account, so the MAC gets deleted if the device was not active for X days.
Is this possible?
Best answer by StephanH
there is no direct feedback from the AD into the NAC.
The expiration timer may not help here either. This is valid for all MAC addresses. I.e. if this is set to 10 days then not only the MACs that are in the group for BYOD are deleted but also e.g. the MACs of the colleagues who are currently on vacation.
But you can delete users and MACs via the NBI-API. Therefore you could create a API call in an arbitrary programming language that is triggered automatically or manually when a user is deleted in AD to delete the MAC in the XMC database.