cancel
Showing results for 
Search instead for 
Did you mean: 

NAC: Restricting access for nondomain devices

NAC: Restricting access for nondomain devices

Marlon
New Contributor III

Hi,

I try to follow the GTAC knowledge below:
https://extremeportal.force.com/ExtrArticleDetail?an=000082958

but its not working in my setup. what is "802.1x Placeholder" rule? based on the procedure it only the authentication is change to 802.1x. and no changes on other option

appreciate if someone have screenshots of this setting.

thanks!

5 REPLIES 5

Zdeněk_Pala
Extreme Employee
Hi,

I believe you can do it by two rules:
rule 1 (higher position = higher priority) will have conditions:
authentication is 802.1x
endsystem group is domain computer
apply profile "authorized domain computer"
Rule 2 (lower position = lower priority than rule 1) will have condition:
authentication is 802.1X
apply profile "restricted access to basic services"

first time the computer connects will go through rule 2. then computer will update DNS records and hostname resolution will reauthenticate the endsystem. reauthentication will hit the rule 1.

"endsystem group is domain computer" does verify hostname in LDAP

----

another option how to solve your issue (from my point of view more secure): use EAP-TLS = provision your domain computers with certificates. if the EAP-TLS is used then you know the device is under domain control.

Another option is to use PEAP and verify the username is "host/*" then you know it is computer in the domain

---

good luck

Z.
Regards Zdeněk Pala
GTM-P2G8KFN