Dennis, I believe they use DHCP finngerprinting in addition to the user agent. Except for game consoles, the user does not enter the mac address into the web page.
For game consoles, the server must have seen the mac address on the network. The mac address vendor mac prefix also must have been identified as a gaming device. For users who actually have a system that uses a generic manufacturer prefix, they bring it in to our HelpDesk and we register it manually. Bruce Osborne Network Engineer Liberty University ________________________________________ From: Dennis Xu [...@uoguelph.ca] Sent: Monday, June 28, 2010 9:14 AM Subject: Re: Mobile devices and NAC Hi Bruce, That is interesting. So Bradford has a build-in portal for users to register their MAC address? How does Bradford know the MAC address they entered is a mobile device, not a Windows computer? Thanks! Dennis Xu Network Analyst Computing and Communication Services University of Guelph 5198244120 x 56217 ----- Original Message ----- From: "Bruce W. Osborne (NS)" <bosbo...@liberty.edu> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Saturday, June 26, 2010 5:09:25 AM GMT -05:00 US/Canada Eastern Subject: Re: [WIRELESS-LAN] Mobile devices and NAC Dennis, We moved from Cisco NAC to Bradford a couple of years ago. We set up our system based on MAC address authentication. The client only needs to register once per semester. Our main user complaint with Cisco NAC was the need to login to NAC every time the connected to the network. If desired, Bradford can be setup to require this too. For mobile devices specifically, the Bradford system generally allows them to register only, rather than requiring the agent download. The Device and OS recognition are either updated through the regular definition updates or through patch updates to the system. Sometimes we need to register new devices manually until we patch our systems. Until recently we needed to manually register iPads and Android phones, for example. Our current version supports both. Our registration records expire after 60 days of inactivity so we can reclaim NAC licenses for reuse. I understand that Perfigo originally designed what became Cisco NAC as an authentication system for wireless networks. The NAC features were added later. That may be why authentication is generally required on every connection. Cisco makes some great products. We are generally a Cisco shop for networking and telephony, but we found wireless & NAC solutions from other vendors better meet our needs. Bruce Osborne Network Engineer Liberty University -----Original Message----- From: Dennis Xu [mailto:d...@uoguelph.ca] Sent: Friday, June 25, 2010 10:09 AM Subject: Mobile devices and NAC Just want to check how other people deal with mobile device with NAC? We use Cisco NAC and configured "not require agent" for mobile devices, but the problem is they have to open the browser first (even they have already been authenticated using 802.1X) to become online users in NAC before they can use any other applications(email clients, calendar, etc). Cisco NAC detects the user O/S after user opens the browser. So no browser open, no other network connectives. This has caused many frustrations. How do you make the mobile devices work with NAC without these pains? If you use MAC filter to bypass NAC, how do you manage and maintain the filter list? Any suggestions are appreciated! Dennis Xu Network Analyst Computing and Communication Services University of Guelph 5198244120 x 56217 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.