This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Block Access Points with NAC

Block Access Points with NAC

Matthew_Perry
New Contributor III

‎08-31-2017 03:57 PM

I'm trying to create a nac rule to block students from putting access points on our network and extending our network unsecurely. I think I could key of of Device Type but don't see any matching type. Is there a way to add types to the system?
6 REPLIES 6

Ronald_Dvorak
Honored Contributor

‎09-01-2017 12:09 PM

I've wrote an article on how to create DHCP fingerprints....

https://community.extremenetworks.com/extreme/topics/create-a-extremecontrol-nac-dhcp-fingerprint
0 Kudos

Ronald_Dvorak
Honored Contributor

‎09-01-2017 07:18 AM

The system IDs the device via DHCP fingerprinting.

In the past I've used the below article to create a GTAC ticket so unknown devices could get implemented into the system.

https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-Methodology...

In your case I don't think that would work as there are too many AP vendors out to ID them all correctly.
0 Kudos

Joshua_Puusep
New Contributor III
In response to Ronald_Dvorak

‎09-01-2017 07:18 AM

That's pretty much what I thought. We were hoping to get at least some of the vendors in the system preemptively before school starts. Thanks for the article.
0 Kudos

ar1
Contributor

‎09-01-2017 04:15 AM

Hello,
we are using NAC with MAC authentication.
Known MAC address are in End Systems group and our rules "move" the devices into a VLAN and the device get access.
The rules looks like "if the MAC address of the device is in a End System Group and the authentication type is MAC then use the accept policy ...".
If no rules match the last rule is the catch-all rule that will collect all unknown devices.
And our catch-all rule will put all devices in our guest vlan. But in your case I would change it that all unknown MAC address will deny.
So you don't need to deny special address and catch-all unknown devices.
I hope this will help you,
Axel
0 Kudos
GTM-P2G8KFN