Security

I am in the process of implementing a 802.1X wired and wirless network for a college and I am stumbling into an issue.  Does anyone know how to diffrentate between an end user MAC and a university owned MAC?  They are joined to the domain.

Right now I have it configured where the MAC logs in via the machine and that works however, in the background I am putting them in Student and Staff Vlan's but there is no way to prevent a student from loging into that staff laptop that I can think of.  Any ideas?

I have also thought of doing a static host list for the staff but the customer doesn't want to do that.

I was thinking maybe onguard and putting it only on the staff pc's but of course they don't feel like they should have to purchase more lic's for this feature.

Ideas?  The windows boxes are working fine because they do machine auth first and then a second auth for the user.

John,

EDIT:  You have two problems:  (1) How do you keep students from logging into a staff machine, which should be a MAC issue/solution and (2) How to differentiate staff machines from student machines.  Below I give ideas for #2.

The less resourse-intensive option would be to distribute EAP-TLS certificates through ClearPass Onboard, which is automated and automatically ties the MAC's EAP-TLS certificate to the user who Onboarded the device.  If your Windows deployment has a Certificate Authority, you can distribute EAP-TLS certificates to your "Domain" Windows Machines.  Of course, you will need to setup a process to produce, deliver, install and revoke EAP-TLS certificates in a Windows domain, and somehow tie it to a specific user.  The less resourse-intensive option would be to distribute EAP-TLS certificates through Onboard, which is automated.  That might actually be worth something.