https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/block-access-points-with-nac/m-p/41228#M5180 I'm trying to create a nac rule to block students from putting access points on our network and extending our network unsecurely. I think I could key of of Device Type but don't see any matching type. Is there a way to add types to the system? Thu, 31 Aug 2017 22:57:00 GMT Matthew_Perry 2017-08-31T22:57:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/block-access-points-with-nac/m-p/41228#M5180 I'm trying to create a nac rule to block students from putting access points on our network and extending our network unsecurely. I think I could key of of Device Type but don't see any matching type. Is there a way to add types to the system? Thu, 31 Aug 2017 22:57:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/block-access-points-with-nac/m-p/41228#M5180 Matthew_Perry 2017-08-31T22:57:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/block-access-points-with-nac/m-p/41229#M5181 Hello, are you using Extreme for your wireless? If so, this is something you can do easily with Radar (rogue AP detection). Thu, 31 Aug 2017 23:09:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/block-access-points-with-nac/m-p/41229#M5181 Steve_Ballantyn 2017-08-31T23:09:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/block-access-points-with-nac/m-p/41230#M5182 We are, but we're not only concerned with wireless access. We would like to use NAC to block wired switches/routers as well. Fri, 01 Sep 2017 01:23:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/block-access-points-with-nac/m-p/41230#M5182 Joshua_Puusep 2017-09-01T01:23:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/block-access-points-with-nac/m-p/41231#M5183 Hello,<BR /> we are using NAC with MAC authentication.<BR /> Known MAC address are in End Systems group and our rules "move" the devices into a VLAN and the device get access.<BR /> The rules looks like "if the MAC address of the device is in a End System Group and the authentication type is MAC then use the accept policy ...".<BR /> If no rules match the last rule is the catch-all rule that will collect all unknown devices.<BR /> And our catch-all rule will put all devices in our guest vlan. But in your case I would change it that all unknown MAC address will deny.<BR /> So you don't need to deny special address and catch-all unknown devices.<BR /> I hope this will help you,<BR /> Axel<BR /> Fri, 01 Sep 2017 11:15:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/block-access-points-with-nac/m-p/41231#M5183 ar1 2017-09-01T11:15:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/block-access-points-with-nac/m-p/41232#M5184 The system IDs the device via DHCP fingerprinting.<BR /> <BR /> In the past I've used the below article to create a GTAC ticket so unknown devices could get implemented into the system.<BR /> <BR /> <A href="https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-Methodology-For-OS-Detection" target="_blank" rel="nofollow noreferrer noopener">https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-Methodology...</A><BR /> <BR /> In your case I don't think that would work as there are too many AP vendors out to ID them all correctly. Fri, 01 Sep 2017 14:18:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/block-access-points-with-nac/m-p/41232#M5184 Ronald_Dvorak 2017-09-01T14:18:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/block-access-points-with-nac/m-p/41233#M5185 That's pretty much what I thought. We were hoping to get at least some of the vendors in the system preemptively before school starts. Thanks for the article. Fri, 01 Sep 2017 14:18:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/block-access-points-with-nac/m-p/41233#M5185 Joshua_Puusep 2017-09-01T14:18:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/block-access-points-with-nac/m-p/41234#M5186 I've wrote an article on how to create DHCP fingerprints....<BR /> <BR /> <A href="https://community.extremenetworks.com/extreme/topics/create-a-extremecontrol-nac-dhcp-fingerprint" target="_blank" rel="nofollow noreferrer noopener">https://community.extremenetworks.com/extreme/topics/create-a-extremecontrol-nac-dhcp-fingerprint</A> Fri, 01 Sep 2017 19:09:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/block-access-points-with-nac/m-p/41234#M5186 Ronald_Dvorak 2017-09-01T19:09:00Z