0. Problem
Explain the differences between BYOD and CYOD, and describe the key features of NAC (Network Access Control) in a wireless LAN environment.
1. Introduction
① Concepts / Definitions
-
BYOD (Bring Your Own Device)
Policy allowing employees to use their personally owned smartphones, tablets, or laptops for work purposes.
Device choice, purchase, and ownership remain with the user. -
CYOD (Choose Your Own Device)
Policy where the organization provides a pre-approved list of devices for employees to choose from.
Device ownership is usually with the organization, or if owned by the user, it still complies with corporate security standards.
② Historical Background
- BYOD emerged in the early 2010s due to the proliferation of personal mobile devices and remote work trends.
- CYOD evolved to address BYOD’s security and management challenges.
③ Purpose
- BYOD: Reduce costs, improve flexibility, and accommodate user preferences.
- CYOD: Enhance security, simplify device management, ensure regulatory compliance.
2. Main Body
① BYOD vs CYOD Comparison
| Aspect | BYOD | CYOD |
|---|---|---|
| Ownership | User | Organization or user (under corporate standards) |
| Device Choice | Unrestricted | Limited to pre-approved list |
| Security Control | More difficult (diverse devices/OS) | Easier (standardized devices) |
| Cost Burden | User | Organization (or shared) |
| Advantages | Flexibility, lower initial cost for company | Stronger security, easier management |
| Disadvantages | Higher security risk, complex support | Limited choice, higher initial cost |
② NAC (Network Access Control) in Wireless LAN – Concept
NAC is a security framework that authenticates, authorizes, and enforces policy compliance for devices attempting to connect to a network.
In wireless LAN environments, it often integrates with 802.1X authentication and WPA2/WPA3-Enterprise to provide identity verification, security posture checks, and dynamic access control.
③ Key Features of Wireless LAN NAC
-
User & Device Authentication
- Based on 802.1X/EAP protocols.
- Integrates with AD (Active Directory), LDAP, or RADIUS servers.
- Applies differentiated policies for BYOD and CYOD devices.
-
Security Posture Assessment
- Checks for updated antivirus, OS security patches, MDM (Mobile Device Management) enrollment.
- Non-compliant devices are moved to a quarantine VLAN.
-
Dynamic Policy Enforcement
- Assigns VLANs or ACLs based on user role, location, and device type.
- Example: Separate network segments for employees, contractors, and guests.
-
Integration with Wireless Access Points
- NAC server communicates with APs to allow or block devices.
- Unauthorized or unauthenticated devices are disconnected automatically.
-
Visibility & Audit
- Maintains connection logs, MAC/IP history.
- Detects abnormal traffic and generates alerts.
④ Practical Examples
- BYOD scenario: NAC allows access only after verifying device security posture and MDM registration.
- CYOD scenario: Pre-configured corporate certificates and security agents enable seamless NAC approval.
- Guest Wi-Fi: Web portal authentication, then internet-only VLAN assignment.
3. Conclusion
Child-Friendly Summary
BYOD means “I use my own phone or laptop for work.” CYOD means “I choose from a list of devices the company approves.” Wireless NAC is like a gatekeeper that checks who you are and whether your device is safe before letting you on the Wi-Fi.
One-Glance Summary Table
| Item | BYOD | CYOD |
|---|---|---|
| Ownership | User | Organization |
| Choice Freedom | High | Limited |
| Security Management | Difficult | Easier |
| Cost to Company | Lower | Higher |
| NAC Feature | Description |
|---|---|
| Authentication | 802.1X/EAP-based user and device identity check |
| Security Check | Patch, antivirus, MDM verification |
| Policy Enforcement | Role/location/device-based VLAN/ACL assignment |
| AP Integration | Automatic block for unauthorized devices |
| Visibility | Logs, history, anomaly detection |
