No auth currently, just tunnelled back to the controller on specific VLAN for all APs in that AP group. We are planning to implement Clearpass in future so this will get fixed but currently it is a bit of a pain. At the moment we have blacklisted the device on our DHCP server which is enough to kick off your average user.
I did notice it would be possible to build AAA profile for the ports and just use MAC auth? Although I'm not sure how this works when just wanting to black list a client rather than maintaining a white list as obviously at the moment we have no whitelist so if we enable any auth that blocks by default it will affect other legitimate devices that might get plugged in.
Thanks.