cancel
Showing results for 
Search instead for 
Did you mean: 

NAC with BYOD

NAC with BYOD

Frank11
New Contributor
We are looking at a non-domain joined device BYOD policy. We have an Extreme NAC. I want to limit one device to one person not having it open slatter. I could do this by importing a MAC list into the NAC but with MAC addresses being easily spoofed this may not work.
Any ideas how to achieve a BYOD, one non-domain device per person?
3 REPLIES 3

Joseph_Burnswor
New Contributor III
Even tho it is a non-domain device, are you using LDAP for user creds for them to log on? Also, are you doing this via web portal.

If you are using a web portal and LDAP for auth, you can limit one device per person. If this is an open auth Guest Portal, There is no way to limit the user since they can use a different name every time.

Hi Frank,

So in NAC you can have a rule in the Rules Engine that contains LDAP User Group criteria (that keys off the username) as well as a list of MAC Addresses (End System Group criteria), so if the user registers on a device that is in that MAC list, the re-uath that occurs after the portal login should result in matching that rule. If you then use the same username/password on a device that is not listed in that End System Group, a second rule below the first one can be matched and setup to do something different (more restrictive policy assignment).

If you are worried out the MAC spoofing then this may not be a valid solution for you, but also keep in mind that NAC would be limited in methods of determining if the host is a domain-joined machine if the underlying Authentication Type is MAC Auth rather than 8021.x.

Regards.
Scott Keene

Had to think about this. Sorry for the silly questions. I am new to the NAC setup.
If I did use the web portal and LDAP. This means there is a way to match the user ID to a MAC address via a pre list to validate auth to the wireless? If the MAC address is spoofed then they would be denied access to the wireless?
GTM-P2G8KFN