Chci být partnerem EN

Thank you for your interest...

macmon for schools

building security in a specific environment

Each sector has its own specific characteristics and requirements. Education is one of the sectors that needs Network Access Control. Given the large number of students and the diversity of (un)managed devices, we must also consider the protection of information flows and the students themselves.

Internet access for devices such as smartphones, tablets or gaming devices is taken for granted nowadays, but it is necessary to separate such devices from those that require direct access to internal resources. Students who change, modify, and use their devices all the time and everywhere are often less careful when it comes to setting passwords, and not just for their own devices.

mám zájem o tuto službu

Děkujeme za váš zájem...


Network Access Control (NAC)

Network Access Control (NAC) is a computer networking solution that provides access to the network (LAN) to authenticated and trusted devices and users according to prepared rules and denies access to all others. It does this by using the standard 802.1x authentication protocol, or by other means used by NAC vendors and combinations thereof. Another important feature of high-quality NAC solutions is the integration with other security systems in the network, with the help of which the NAC system automatically isolates already connected trusted devices in case of malicious code or insufficient self-protection (disabled or outdated antivirus system, outdated updates...). NAC, as the name implies, is a process that controls access to the network based on security policy rules and controls.

From a school perspective, it is a fairly dynamic network environment with diverse needs:

  • school management and economy applications
  • teaching support, plans, sensitive information about pupils ...
  • teaching pupils with computer support
  • hobby clubs, etc.

This list is not exhaustive, but it nevertheless shows the difficulty of incorporating all the requirements into one network operated by the school, also because the school’s mission is student education, not network administration.

Macmon Technology Series

Short videos explaining the operation of the individual modules of the macmon solution.

1. Typology – macmon modules

2. Advanced Security – macmon modules

3. NAC – macmon modules

4. VLAN manager – macmon modules

5. Guest Service – macmon modules

6. 802.1X – macmon modules

7. Compliance – macmon modules

1. Typologie – macmon modules

2. Advanced Security – macmon modules

3. NAC – macmon modules

4. VLAN manager – macmon modules

5. Guest Service – macmon modules

6. 802.1X – macmon modules

7. Compliance – macmon modules

You can teach, we can secure networks.

NAC – Network Access Control is a solution to protect access to your data and devices from those who want to misuse them for any reason. And exploiting someone else’s mistakes isn’t as hard as you might think...


Active network security

Most people perceive an attack from the Internet as the biggest security risk of today’s networks and strengthen their protection against such an attack. That’s why more than 90% of successful cyber-attacks are carried out from within the organisation – from the local network. Local area networks are often large and dynamic systems, and it is difficult to retrospectively map where the active ports are, whether users have added hubs to increase the number of sockets or to connect their unauthorized devices. At the same time, more and more users are using wireless network access, both from work and personal devices, as well as from various IoT devices. It is difficult to trace who connected, from where, to what application and what data was transferred. When changes are made to the network, addresses are left free and unused parts of the configuration are a welcome “gift” for a cyber attacker, against whom we are then defenceless and cannot even identify them.

Consistent control

= risk elimination

Consistent network access control eliminates most security risks, while allowing for resource inventory and optimizing network operation costs. Access control according to the 802.1x standard authenticates users and dynamically assigns them to the appropriate network segments (VLANs) based on local and global authorization rules.


= suspect identification

By monitoring the network status, we identify a suspicious user, whom we remotely deactivate or reassign to a quarantine VLAN. If a major attack occurs, we can put the network into a state of emergency by disconnecting all users, but critical applications will still run. In the same way, we handle access of corporate Wi-Fi devices or private devices used by the user for business purposes (BYOD).


NAC for schools

Our NAC solution for schools is based on the above needs and offers a high degree of automation along with ease of use. It contains the following components (in the school dictionary):

  • Pupils’ attendance in the class book - recording the exact time and place of connection and disconnection of each device in the network and archiving these events
  • Strict janitor (standing at the entrance of the school and checking that only students who have classes at that time and current professors enter) - controlling access to the network based on written rules
  • Hallway (for visitors before being picked up by the person in charge) – a web portal for visitors who the school wants to allow, for example, to connect to the internet, but at the same time securely isolate them from the school’s actual network. For after-school hobby clubs, parents, etc. The solution offers both the option that the visitor registers himself or herself, and the option of access being allowed to him/her by an authorized person
  • Self-study – the possibility for students (all students or a selected group) to authorize their own devices (tablets, smartphones), which the school will allow them to use for educational purposes or hobby clubs according to predefined rules (time, space...). Here, unlike in the “hallway”, the identity of the user is well known and verified, which allows to extend the parts of the network which the student may connect to (e.g., computer lab...)
  • School layout (division of the building into floors, individual classrooms, cabinets, staff room...) – the solution will allow to divide the school network in a similar way so that it is possible to give “keys” to individual rooms only to authorized users without requiring a skilled administrator. In networking terms, this is called “network segmentation”, which is an important means of achieving overall cybersecurity
  • Class teacher (who, based on information from colleagues, ensures the isolation of the student with a temperature, and calls his/her parents) – the Compliance module communicates with the surrounding network systems and at their prompt isolates the devices in the network, e.g., when an infection is detected by the antivirus system, and informs the responsible person. After this threat is resolved, the device connects to the network

macmon solution

The NAC solution by the German company macmon, which we offer for this project, has all the above-mentioned features. It uses the existing network infrastructure, with which it communicates mainly via SNMP, but also via SSH, HTTPS, RADIUS and API protocols.

It is a fully software-based solution offered as VA for vmware or HyperV hypervisors and provides the following features:

  • Clear user-friendly graphical environment based on web technology
  • Communication and control of network switches – allows to map network elements, their interconnection, configured VLANs, connected devices including their MAC addresses in a short time
  • Mapping and displaying MAC – IP and DNS name by reading ARP tables from active L3 elements (routers, FW ..) and from DNS and DHCP servers
  • Verification of user and device identities by communicating with AD or LDAP directory services
  • Verification of details of connected devices via WMI, SNMP or by scanning them.
  • Custom access control (authentication and authorization) based on configured rules, either by commanding switches via SNMP protocol or by providing RADIUS server services in the case of standard 802.1x
  • Logging of all events
  • Isolation of connected devices based on information from integrated AV systems, network behavioural analysis systems, DLP and SIEM systems or vulnerability detection systems
  • Self-service portal that allows users to identify their own device and connect it to the network according to predefined rules
  • Web portal for guests (captive portal), which allows controlled connection of guests to the guest parts of the network, including logging of these events

The offered solution for schools is based on the technology described above and has the following specifics:

  • Ensured pre- and post-implementation support
  • Licensing taking account of summer holidays
  • Option for one-off payment or payment in monthly instalments without price increase
  • Advantageous licensing for student devices (BYOD)
  • The solution for schools is directly supported by the manufacturer
  • Safe Schools (Bezpečí do škol) website

macmon BYOD – specifically for the needs of schools, universities, and research institutions

The macmon’s Guest Portal is more than suitable to meet all these needs. With a single username and password, or better yet, using an existing Active Directory user, students can register and manage their devices using macmon’s Captive Portal. In this way, many definable devices can be enabled, where each device registration in the network is clear to the user. This allows institutions to keep track of managed devices and connections to users without any administrative effort. 

Based on location, access can be defined in many ways, for example by user or group – Internet-only access, internal network-only access, both, etc. – while the access rights themselves are available as long as the user account is valid. Graphically adapted to the respective institution, regardless of the LAN and WLAN structure and hardware used, highly flexible thanks to a fully developed role concept and easy to use thanks to an automatic and dynamic set of rules, macmon NAC with the Guest Service and BYOD portal is suitable for every institution.

Due to the complexity of devices and the fluctuation of users, macmon offers a licensing model adapted to the needs of education. While the numbers of devices are fixed in administrative areas, a flexible user-based licensing model is available for students. Each user can operate multiple devices simply by using a simple registration portal. To support the fundamental importance of research and teaching, we have also considered the use of student access so that the price of our EDU licenses reflects their use.

Benefits of macmon NAC

  • Complete overview of the entire network, all its devices and connections
  • No administrative burden thanks to the self-service portal
  • Assigning defined rules, such as Internet, internal network, both, etc.
  • Access validity related to the validity of the student’s user account
  • Special EDU licensing model
  • Multiple devices per user