Michael, I just had a similar question off-list.
Bradford does not solely rely on the user agent. They also use DHCP fingerprinting. Once the client is registered and the persistent agent is installed (Windows or Macintosh, the vast majority of our users) then they have other methods. Once a client is registered, the system would detect if the agent is not installed and force them into remediation. Bruce Osborne Liberty Iniversity ________________________________________ From: Michael Simpson [michael.simp...@uvu.edu] Sent: Monday, June 28, 2010 8:46 AM Subject: Re: Mobile devices and NAC Bruce, Out of curiosity, how do you prevent a client from gaining access via MAC spoofing? With Cisco NAC we have the option of putting users in the Filter list with "Check" selected. This will bypass user authentication and will only perform client remediation. We looked into this option with a registration portal that would automatically create these filters for us but our security team put the kibosh on this as they were concerned unauthorized users could gain access by spoofing a MAC of a previously registered machine. Michael Simpson Network Engineer Utah Valley University On Jun 26, 2010, at 3:09 AM, Osborne, Bruce W. (NS) wrote: > Dennis, > > We moved from Cisco NAC to Bradford a couple of years ago. We set > up our system based on MAC address authentication. The client only > needs to register once per semester. Our main user complaint with > Cisco NAC was the need to login to NAC every time the connected to > the network. If desired, Bradford can be setup to require this too. > > For mobile devices specifically, the Bradford system generally > allows them to register only, rather than requiring the agent > download. The Device and OS recognition are either updated through > the regular definition updates or through patch updates to the system. > > Sometimes we need to register new devices manually until we patch > our systems. Until recently we needed to manually register iPads and > Android phones, for example. Our current version supports both. > > Our registration records expire after 60 days of inactivity so we > can reclaim NAC licenses for reuse. > > I understand that Perfigo originally designed what became Cisco NAC > as an authentication system for wireless networks. The NAC features > were added later. That may be why authentication is generally > required on every connection. > > Cisco makes some great products. We are generally a Cisco shop for > networking and telephony, but we found wireless & NAC solutions from > other vendors better meet our needs. > > Bruce Osborne > Network Engineer > Liberty University > > -----Original Message----- > From: Dennis Xu [mailto:d...@uoguelph.ca] > Sent: Friday, June 25, 2010 10:09 AM > Subject: Mobile devices and NAC > > Just want to check how other people deal with mobile device with > NAC? We use Cisco NAC and configured "not require agent" for mobile > devices, but the problem is they have to open the browser first > (even they have already been authenticated using 802.1X) to become > online users in NAC before they can use any other applications(email > clients, calendar, etc). Cisco NAC detects the user O/S after user > opens the browser. So no browser open, no other network connectives. > This has caused many frustrations. How do you make the mobile > devices work with NAC without these pains? If you use MAC filter to > bypass NAC, how do you manage and maintain the filter list? Any > suggestions are appreciated! > > Dennis Xu > Network Analyst > Computing and Communication Services > University of Guelph > 5198244120 x 56217 > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/ > . ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
