Showing results for 
Search instead for 
Did you mean: 

Block Access Points with NAC

Block Access Points with NAC

New Contributor III
I'm trying to create a nac rule to block students from putting access points on our network and extending our network unsecurely. I think I could key of of Device Type but don't see any matching type. Is there a way to add types to the system?

Honored Contributor

Honored Contributor
The system IDs the device via DHCP fingerprinting.

In the past I've used the below article to create a GTAC ticket so unknown devices could get implemented into the system.

In your case I don't think that would work as there are too many AP vendors out to ID them all correctly.

That's pretty much what I thought. We were hoping to get at least some of the vendors in the system preemptively before school starts. Thanks for the article.

we are using NAC with MAC authentication.
Known MAC address are in End Systems group and our rules "move" the devices into a VLAN and the device get access.
The rules looks like "if the MAC address of the device is in a End System Group and the authentication type is MAC then use the accept policy ...".
If no rules match the last rule is the catch-all rule that will collect all unknown devices.
And our catch-all rule will put all devices in our guest vlan. But in your case I would change it that all unknown MAC address will deny.
So you don't need to deny special address and catch-all unknown devices.
I hope this will help you,