Header Only - DO NOT REMOVE - Extreme Networks

Block Access Points with NAC


I'm trying to create a nac rule to block students from putting access points on our network and extending our network unsecurely. I think I could key of of Device Type but don't see any matching type. Is there a way to add types to the system?

6 replies

Userlevel 5
Hello, are you using Extreme for your wireless? If so, this is something you can do easily with Radar (rogue AP detection).
Userlevel 4
We are, but we're not only concerned with wireless access. We would like to use NAC to block wired switches/routers as well.
Userlevel 1
Hello,
we are using NAC with MAC authentication.
Known MAC address are in End Systems group and our rules "move" the devices into a VLAN and the device get access.
The rules looks like "if the MAC address of the device is in a End System Group and the authentication type is MAC then use the accept policy ...".
If no rules match the last rule is the catch-all rule that will collect all unknown devices.
And our catch-all rule will put all devices in our guest vlan. But in your case I would change it that all unknown MAC address will deny.
So you don't need to deny special address and catch-all unknown devices.
I hope this will help you,
Axel
Userlevel 7
The system IDs the device via DHCP fingerprinting.

In the past I've used the below article to create a GTAC ticket so unknown devices could get implemented into the system.

https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-Methodology...

In your case I don't think that would work as there are too many AP vendors out to ID them all correctly.
Userlevel 4
Ron wrote:

The system IDs the device via DHCP fingerprinting.

In the past I've used the below article to create a GTAC ticket so unknown devices could get implemented into the system.

https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-Methodology...

In your case I don't think that would work as there are too many AP vendors out to ID them all correctly.

That's pretty much what I thought. We were hoping to get at least some of the vendors in the system preemptively before school starts. Thanks for the article.
Userlevel 7
I've wrote an article on how to create DHCP fingerprints....

https://community.extremenetworks.com/extreme/topics/create-a-extremecontrol-nac-dhcp-fingerprint

Reply