Block Access Points with NAC

  • 0
  • 2
  • Question
  • Updated 1 year ago
  • Answered
I'm trying to create a nac rule to block students from putting access points on our network and extending our network unsecurely.  I think I could key of of Device Type but don't see any matching type.  Is there a way to add types to the system?
Photo of Matthew Perry

Matthew Perry

  • 320 Points 250 badge 2x thumb

Posted 1 year ago

  • 0
  • 2
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,806 Points 5k badge 2x thumb
Hello, are you using Extreme for your wireless? If so, this is something you can do easily with Radar (rogue AP detection).
Photo of Joshua Puusep

Joshua Puusep

  • 2,274 Points 2k badge 2x thumb
We are, but we're not only concerned with wireless access.  We would like to use NAC to block wired switches/routers as well.
Photo of ar

ar

  • 602 Points 500 badge 2x thumb
Hello,
we are using NAC with MAC authentication.
Known MAC address are in End Systems group and our rules "move" the devices into a VLAN and the device get access.
The rules looks like "if the MAC address of the device is in a End System Group and the authentication type is MAC then use the accept policy ...".
If no rules match the last rule is the catch-all rule that will collect all unknown devices.
And our catch-all rule will put all devices in our guest vlan. But in your case I would change it that all unknown MAC address will deny.
So you don't need to deny special address and catch-all unknown devices.
I hope this will help you,
Axel
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 50,114 Points 50k badge 2x thumb
The system IDs the device via DHCP fingerprinting.

In the past I've used the below article to create a GTAC ticket so unknown devices could get implemented into the system.

https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-Methodology...

In your case I don't think that would work as there are too many AP vendors out to ID them all correctly.
Photo of Joshua Puusep

Joshua Puusep

  • 2,274 Points 2k badge 2x thumb
That's pretty much what I thought.  We were hoping to get at least some of the vendors in the system preemptively before school starts.  Thanks for the article.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 50,114 Points 50k badge 2x thumb
(Edited)