Block Access Points with NAC
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎08-31-2017 03:57 PM
I'm trying to create a nac rule to block students from putting access points on our network and extending our network unsecurely. I think I could key of of Device Type but don't see any matching type. Is there a way to add types to the system?
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-01-2017 12:09 PM
I've wrote an article on how to create DHCP fingerprints....
https://community.extremenetworks.com/extreme/topics/create-a-extremecontrol-nac-dhcp-fingerprint
https://community.extremenetworks.com/extreme/topics/create-a-extremecontrol-nac-dhcp-fingerprint
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-01-2017 07:18 AM
The system IDs the device via DHCP fingerprinting.
In the past I've used the below article to create a GTAC ticket so unknown devices could get implemented into the system.
https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-Methodology...
In your case I don't think that would work as there are too many AP vendors out to ID them all correctly.
In the past I've used the below article to create a GTAC ticket so unknown devices could get implemented into the system.
https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-Methodology...
In your case I don't think that would work as there are too many AP vendors out to ID them all correctly.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-01-2017 07:18 AM
That's pretty much what I thought. We were hoping to get at least some of the vendors in the system preemptively before school starts. Thanks for the article.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-01-2017 04:15 AM
Hello,
we are using NAC with MAC authentication.
Known MAC address are in End Systems group and our rules "move" the devices into a VLAN and the device get access.
The rules looks like "if the MAC address of the device is in a End System Group and the authentication type is MAC then use the accept policy ...".
If no rules match the last rule is the catch-all rule that will collect all unknown devices.
And our catch-all rule will put all devices in our guest vlan. But in your case I would change it that all unknown MAC address will deny.
So you don't need to deny special address and catch-all unknown devices.
I hope this will help you,
Axel
we are using NAC with MAC authentication.
Known MAC address are in End Systems group and our rules "move" the devices into a VLAN and the device get access.
The rules looks like "if the MAC address of the device is in a End System Group and the authentication type is MAC then use the accept policy ...".
If no rules match the last rule is the catch-all rule that will collect all unknown devices.
And our catch-all rule will put all devices in our guest vlan. But in your case I would change it that all unknown MAC address will deny.
So you don't need to deny special address and catch-all unknown devices.
I hope this will help you,
Axel
