ExtremeCloud IQ- Site Engine & Extreme Management Center

Expand all | Collapse all

Block Access Points with NAC

  • 1.  Block Access Points with NAC

    Posted 08-31-2017 15:57
    I'm trying to create a nac rule to block students from putting access points on our network and extending our network unsecurely. I think I could key of of Device Type but don't see any matching type. Is there a way to add types to the system?


  • 2.  RE: Block Access Points with NAC

    Posted 08-31-2017 16:09
    Hello, are you using Extreme for your wireless? If so, this is something you can do easily with Radar (rogue AP detection).


  • 3.  RE: Block Access Points with NAC

    Posted 08-31-2017 18:23
    We are, but we're not only concerned with wireless access. We would like to use NAC to block wired switches/routers as well.


  • 4.  RE: Block Access Points with NAC

    Posted 09-01-2017 04:15
    Hello,
    we are using NAC with MAC authentication.
    Known MAC address are in End Systems group and our rules "move" the devices into a VLAN and the device get access.
    The rules looks like "if the MAC address of the device is in a End System Group and the authentication type is MAC then use the accept policy ...".
    If no rules match the last rule is the catch-all rule that will collect all unknown devices.
    And our catch-all rule will put all devices in our guest vlan. But in your case I would change it that all unknown MAC address will deny.
    So you don't need to deny special address and catch-all unknown devices.
    I hope this will help you,
    Axel


  • 5.  RE: Block Access Points with NAC

    Posted 09-01-2017 07:18
    The system IDs the device via DHCP fingerprinting.

    In the past I've used the below article to create a GTAC ticket so unknown devices could get implemented into the system.

    https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-Methodology...

    In your case I don't think that would work as there are too many AP vendors out to ID them all correctly.


  • 6.  RE: Block Access Points with NAC

    Posted 09-01-2017 07:18
    That's pretty much what I thought. We were hoping to get at least some of the vendors in the system preemptively before school starts. Thanks for the article.


  • 7.  RE: Block Access Points with NAC

    Posted 09-01-2017 12:09