As we return to the office from the pandemic, our offices have shifted to the "hoteling" strategy where people that come in will select their seat based on first come first serve. These stations all have Thunderbolt docking stations (HP) which have their own NIC independent of the laptop. How will Genians operate in this environment? I'm assuming we'll have to use 802.1x again rather than the much simpler MAC based layer 2 enforcement. With these docks a bad actor could use the dock and gain access if we're only using mac address as the policy decision. Are there additional controls we can use with DPI to provide further enforcement without using 802.1x and continue to use layer 2 enforcement? Does the "fingerprint" include more than just the MAC address of the machine when making enforcement decisions (without using 802.1x)?
Currently, we have not completed testing using this kind of equipment. Knowing the exact model name, or any specific details from your testing would be helpful in better answering your questions.
If the docking station prevents broadcasts from being passed back and forth, then our ARP enforcement option would not be compatible. Other options such as Radius/802.1x, agent-based, mirror-based, or integrating with some of your existing security solutions may be a better solution, and still allow you to gather info/restrict access, even without layer 2 access to the devices. You can read more in our Controlling Network Access documentation.
If you'd like to get an idea of how Genian NAC will work in your environment you can get a free trial, or use basic edition free for up to 300 devices.
During your trial, feel free to join our Slack Community and we can work with you in real-time to get a working configuration that meets your needs.