cancel
Showing results for 
Search instead for 
Did you mean: 

Authenticated registration: remove MAC when user leaves company

Authenticated registration: remove MAC when user leaves company

Fijs
New Contributor III

Hi all,

 

We are planning to set up authenticated registration for BYOD devices. Users will log in on the portal using their LDAP credentials to register the MAC addresses of their BYOD device(s).

As far as I know, registering a device actually adds it’s MAC address to a pre-defined End-System Groups.

When this devices accesses the network, it will authenticate using it’s MAC address.

We can configure an expiration timer after which the user needs to re-register the device(s), but we want to know if there is a way to automatically disable network access for these registered devices (=delete MAC from the end-system group) when a user leaves the company - i.e when the AD acccount is locked/disabled/deleted.

 

Another solution would be to have an expiration timer, which takes the last active time into account, so the MAC gets deleted if the device was not active for X days.

 

Is this possible?

 

Thanks!

1 ACCEPTED SOLUTION

StephanH
Valued Contributor III

Hello,

there is no direct feedback from the AD into the NAC.

The expiration timer may not help here either. This is valid for all MAC addresses. I.e. if this is set to 10 days then not only the MACs that are in the group for BYOD are deleted but also e.g. the MACs of the colleagues who are currently on vacation.

But you can delete users and MACs via the NBI-API. Therefore you could create a API call in an arbitrary programming language that is triggered automatically or manually when a user is deleted in AD to delete the MAC in the XMC database.

 

 

Regards Stephan

View solution in original post

4 REPLIES 4

Fijs
New Contributor III

Stephan,

 

That was where I was afraid for.

If really needed, the API could indeed be an option.
 

StephanH
Valued Contributor III

Hello,

there is no direct feedback from the AD into the NAC.

The expiration timer may not help here either. This is valid for all MAC addresses. I.e. if this is set to 10 days then not only the MACs that are in the group for BYOD are deleted but also e.g. the MACs of the colleagues who are currently on vacation.

But you can delete users and MACs via the NBI-API. Therefore you could create a API call in an arbitrary programming language that is triggered automatically or manually when a user is deleted in AD to delete the MAC in the XMC database.

 

 

Regards Stephan

Fijs
New Contributor III

Hi Brian,

 

Thanks for the quick reply. I completely forgot about that setting, thanks!

Brian_Anderson1
Contributor II

You can do this part in XMC/Administration/options/Access Control/Data Persistence.  Under Age End-Systems you can set the number of days if a device hasn’t talked to nac it will be deleted.  By default I believe it is set to 90 days.

 

GTM-P2G8KFN