A system that includes a switch, a network authentication server (NAS), and a threat management server. The NAS sends a device identifier for an endpoint device and a port identifier identifying a port on the switch to a threat management server in response to the device passing authentication. The threat management server determines the endpoint device is present in the black list using the device identifier. The threat management server determines the endpoint device has a block on the port of the switch using the port identifier. The threat management server removes the block for the endpoint device on the port on the switch in response to determining the endpoint device has the block on the port of the switch.