Is it possible to limit or kill the output from AP's after hours?


After a potential hacking attempt I've been asked to look into reducing or disabling the coverage area of AP's after business hours.

The AP's are all on power bricks, so that rules out doing anything with the switch I guess. This is not a function I remember or can find on the Controller, but wondered if anybody had any bright ideas?

Obviously they would need to extend their coverage in the morning.

Thanks in advance.

10 replies

Userlevel 7
Take a look at https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-disable-enable-wireless-services-du...
A touch more direct, but slightly less user friendly as you have to look up the OID yourself:
/usr/bin/snmpset -v2c -c secret ewc.example.com .1.3.6.1.4.1.4329.15.3.3.4.4.1.7.101 i: 1[/code]Change the 1 at the end to 2 to disable instead of enable. And the 101 is the VNS id.
Userlevel 7
Thanks James!
Userlevel 7
If you use RADIUS authentication you'd also add a restriction so access during the night is not allowed.
i.e. for Windows NPS add a date/time restriction in the network policy....



-Ron
Userlevel 1
I would do this with policy and NAC. This would assume you have both available. The policy would be a deny all or could be deny some, allow other. The NAC would have a time group and location group defined. The time group would be the off hours/days you wish to restrict or deny access. The location group would define the access points/SSIDs or combination that you want to restrict or deny. A rule would be created in the NAC that would call the deny policy when the location and time groups condition are met. This not only accomplishes your immediate goal, but allows flexibility should your goals change, such as how much restriction to impose or different restrictions for different APs or SSIDs.
Charlie Altherr wrote:

I would do this with policy and NAC. This would assume you have both available. The policy would be a deny all or could be deny some, allow other. The NAC would have a time group and location group defined. The time group would be the off hours/days you wish to restrict or deny access. The location group would define the access points/SSIDs or combination that you want to restrict or deny. A rule would be created in the NAC that would call the deny policy when the location and time groups condition are met. This not only accomplishes your immediate goal, but allows flexibility should your goals change, such as how much restriction to impose or different restrictions for different APs or SSIDs.

I have been looking for a guide on how to deploy exactly what you are talking about Charlie. Can you or perhaps anyone in the community point me to one or link to one?
Appreciated,
Userlevel 7
Charlie Altherr wrote:

I would do this with policy and NAC. This would assume you have both available. The policy would be a deny all or could be deny some, allow other. The NAC would have a time group and location group defined. The time group would be the off hours/days you wish to restrict or deny access. The location group would define the access points/SSIDs or combination that you want to restrict or deny. A rule would be created in the NAC that would call the deny policy when the location and time groups condition are met. This not only accomplishes your immediate goal, but allows flexibility should your goals change, such as how much restriction to impose or different restrictions for different APs or SSIDs.

Hi Dewald, It looks like you found your answer in the "How to disable/enable wireless services during specific times" article, which was shared in this thread. Just want to make sure.
Charlie Altherr wrote:

I would do this with policy and NAC. This would assume you have both available. The policy would be a deny all or could be deny some, allow other. The NAC would have a time group and location group defined. The time group would be the off hours/days you wish to restrict or deny access. The location group would define the access points/SSIDs or combination that you want to restrict or deny. A rule would be created in the NAC that would call the deny policy when the location and time groups condition are met. This not only accomplishes your immediate goal, but allows flexibility should your goals change, such as how much restriction to impose or different restrictions for different APs or SSIDs.

HI Drew,

That link will work for the interim and I will certainly use it. However for the long term the client does want guest (walk in) registration. I did see that it is totally possible with NAC - but I am finding it hard to successfully create it myself.
Userlevel 7
Charlie Altherr wrote:

I would do this with policy and NAC. This would assume you have both available. The policy would be a deny all or could be deny some, allow other. The NAC would have a time group and location group defined. The time group would be the off hours/days you wish to restrict or deny access. The location group would define the access points/SSIDs or combination that you want to restrict or deny. A rule would be created in the NAC that would call the deny policy when the location and time groups condition are met. This not only accomplishes your immediate goal, but allows flexibility should your goals change, such as how much restriction to impose or different restrictions for different APs or SSIDs.

Can I ask you to create a new topic so the community can help you out with that?
Charlie Altherr wrote:

I would do this with policy and NAC. This would assume you have both available. The policy would be a deny all or could be deny some, allow other. The NAC would have a time group and location group defined. The time group would be the off hours/days you wish to restrict or deny access. The location group would define the access points/SSIDs or combination that you want to restrict or deny. A rule would be created in the NAC that would call the deny policy when the location and time groups condition are met. This not only accomplishes your immediate goal, but allows flexibility should your goals change, such as how much restriction to impose or different restrictions for different APs or SSIDs.

Will do. Thanks.

Reply