Dennis,

I believe they use DHCP finngerprinting in addition to the user agent. Except 
for game consoles, the user does not enter the mac address into the web page.

For game consoles, the server must have seen the mac address on the network. 
The mac address vendor mac prefix also must have been identified as a gaming 
device. For users who actually have a system that uses a generic manufacturer 
prefix, they bring it in to our HelpDesk and we register it manually.

Bruce Osborne
Network Engineer
Liberty University

________________________________________
From: Dennis Xu [...@uoguelph.ca]
Sent: Monday, June 28, 2010 9:14 AM
Subject: Re: Mobile devices and NAC

Hi Bruce,

That is interesting. So Bradford has a build-in portal for users to register 
their MAC address? How does Bradford know the MAC address they entered is a 
mobile device, not a Windows computer?

Thanks!

Dennis Xu
Network Analyst
Computing and Communication Services
University of Guelph
5198244120 x 56217

----- Original Message -----
From: "Bruce W. Osborne (NS)" <bosbo...@liberty.edu>
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Saturday, June 26, 2010 5:09:25 AM GMT -05:00 US/Canada Eastern
Subject: Re: [WIRELESS-LAN] Mobile devices and NAC

Dennis,

We moved from Cisco NAC to Bradford a couple of years ago.  We set up our 
system based on MAC address authentication. The client only needs to register 
once per semester. Our main user complaint with Cisco NAC was the need to login 
to NAC every time the connected to the network. If desired, Bradford can be 
setup to require this too.

For mobile devices specifically, the Bradford system generally allows them to 
register only, rather than requiring the agent download. The Device and OS 
recognition are either updated through the regular definition updates or 
through patch updates to the system.

Sometimes we need to register new devices manually until we patch our systems. 
Until recently we needed to manually register iPads and Android phones, for 
example. Our current version supports both.

Our registration records expire after 60 days of inactivity so we can reclaim 
NAC licenses for reuse.

I understand that Perfigo originally designed what became Cisco NAC as an 
authentication system for wireless networks. The NAC features were added later. 
That may be why authentication is generally required on every connection.

Cisco makes some great products. We are generally a Cisco shop for networking 
and telephony, but we found wireless & NAC solutions from other vendors better 
meet our needs.

Bruce Osborne
Network Engineer
Liberty University

-----Original Message-----
From: Dennis Xu [mailto:d...@uoguelph.ca]
Sent: Friday, June 25, 2010 10:09 AM
Subject: Mobile devices and NAC

Just want to check how other people deal with mobile device with NAC? We use 
Cisco NAC and configured "not require agent" for mobile devices, but the 
problem is they have to open the browser first (even they have already been 
authenticated using 802.1X) to become online users in NAC before they can use 
any other applications(email clients, calendar, etc). Cisco NAC detects the 
user O/S after user opens the browser. So no browser open, no other network 
connectives. This has caused many frustrations. How do you make the mobile 
devices work with NAC without these pains? If you use MAC filter to bypass NAC, 
how do you manage and maintain the filter list? Any suggestions are appreciated!

Dennis Xu
Network Analyst
Computing and Communication Services
University of Guelph
5198244120 x 56217

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Reply via email to