Analytics & Visibility

  • 1.  IAM/NAC: Binding of Certificate and MAC Address

    Posted 11-26-2013 19:03
    I experience the customer need for a feature where you can bind the Subject of the Certificate to the MAC Address. For example CN=00-11-22-33-44-55 and RADIUS Calling-Station-ID Attribute.

    Use Case: You want to integrate Mobile Devices into your corporate Wifi secured via certificate (EAP-TLS). The mentioned feature would avoid the user to export the certificate and import it on a own device (as long as the MAC is not spoofed).

    Are there any other ideas to realize this use case?

    Best Regards
    Michael


  • 2.  RE: IAM/NAC: Binding of Certificate and MAC Address

    Posted 12-02-2013 11:19
    Hi Michael, I am going to run this through our product management group and have someone respond shortly. Thanks for the suggestion!


  • 3.  RE: IAM/NAC: Binding of Certificate and MAC Address

    Posted 12-16-2013 17:05
    We will take this request into consideration but would like to hear from our users on this request.


  • 4.  RE: IAM/NAC: Binding of Certificate and MAC Address

    Posted 01-09-2014 07:24
    The certificate could be generated with a private key that is not allowed to be exported. But this doesn't help in any circumstance and makes backups of the certificates more complicated for administrators. The suggested solution is a good way to improve this issue.


  • 5.  RE: IAM/NAC: Binding of Certificate and MAC Address

    Posted 01-09-2014 07:31
    Some customers fear that their users export their smartphone certificates and install them unto their own devices to get full access to the network. Solution today is to implement non-exportable certificates, so no 802.1X for smartphones (or similar).

    It would be easier, if it was possible to match the MAC and a certificate attribute for certain device types (of the customers choosing). Especially if there was an alarm/trap/etc, when this match fails.