cancel
Showing results for 
Search instead for 
Did you mean: 

Block Access Points with NAC

Block Access Points with NAC

Matthew_Perry
New Contributor III
I'm trying to create a nac rule to block students from putting access points on our network and extending our network unsecurely. I think I could key of of Device Type but don't see any matching type. Is there a way to add types to the system?
6 REPLIES 6

Ronald_Dvorak
Honored Contributor

Ronald_Dvorak
Honored Contributor
The system IDs the device via DHCP fingerprinting.

In the past I've used the below article to create a GTAC ticket so unknown devices could get implemented into the system.

https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-Methodology...

In your case I don't think that would work as there are too many AP vendors out to ID them all correctly.

That's pretty much what I thought. We were hoping to get at least some of the vendors in the system preemptively before school starts. Thanks for the article.

ar1
Contributor
Hello,
we are using NAC with MAC authentication.
Known MAC address are in End Systems group and our rules "move" the devices into a VLAN and the device get access.
The rules looks like "if the MAC address of the device is in a End System Group and the authentication type is MAC then use the accept policy ...".
If no rules match the last rule is the catch-all rule that will collect all unknown devices.
And our catch-all rule will put all devices in our guest vlan. But in your case I would change it that all unknown MAC address will deny.
So you don't need to deny special address and catch-all unknown devices.
I hope this will help you,
Axel
GTM-P2G8KFN