Solved

Authenticated registration: remove MAC when user leaves company

  • 27 January 2021
  • 4 replies
  • 41 views

  • Participator
  • 13 replies

Hi all,

 

We are planning to set up authenticated registration for BYOD devices. Users will log in on the portal using their LDAP credentials to register the MAC addresses of their BYOD device(s).

As far as I know, registering a device actually adds it’s MAC address to a pre-defined End-System Groups.

When this devices accesses the network, it will authenticate using it’s MAC address.

We can configure an expiration timer after which the user needs to re-register the device(s), but we want to know if there is a way to automatically disable network access for these registered devices (=delete MAC from the end-system group) when a user leaves the company - i.e when the AD acccount is locked/disabled/deleted.

 

Another solution would be to have an expiration timer, which takes the last active time into account, so the MAC gets deleted if the device was not active for X days.

 

Is this possible?

 

Thanks!

icon

Best answer by StephanH 27 January 2021, 15:46

Hello,

there is no direct feedback from the AD into the NAC.

The expiration timer may not help here either. This is valid for all MAC addresses. I.e. if this is set to 10 days then not only the MACs that are in the group for BYOD are deleted but also e.g. the MACs of the colleagues who are currently on vacation.

But you can delete users and MACs via the NBI-API. Therefore you could create a API call in an arbitrary programming language that is triggered automatically or manually when a user is deleted in AD to delete the MAC in the XMC database.

 

 

View original

4 replies

Userlevel 3

Hi all,

 

 

 

Another solution would be to have an expiration timer, which takes the last active time into account, so the MAC gets deleted if the device was not active for X days.

 

Is this possible?

 

Thanks!

You can do this part in XMC/Administration/options/Access Control/Data Persistence.  Under Age End-Systems you can set the number of days if a device hasn’t talked to nac it will be deleted.  By default I believe it is set to 90 days.

 

Hi Brian,

 

Thanks for the quick reply. I completely forgot about that setting, thanks!

Userlevel 7
Badge +1

Hello,

there is no direct feedback from the AD into the NAC.

The expiration timer may not help here either. This is valid for all MAC addresses. I.e. if this is set to 10 days then not only the MACs that are in the group for BYOD are deleted but also e.g. the MACs of the colleagues who are currently on vacation.

But you can delete users and MACs via the NBI-API. Therefore you could create a API call in an arbitrary programming language that is triggered automatically or manually when a user is deleted in AD to delete the MAC in the XMC database.

 

 

Stephan,

 

That was where I was afraid for.

If really needed, the API could indeed be an option.
 

Reply