Header Only - DO NOT REMOVE - Extreme Networks

IAM/NAC: Binding of Certificate and MAC Address

Userlevel 3
I experience the customer need for a feature where you can bind the Subject of the Certificate to the MAC Address. For example CN=00-11-22-33-44-55 and RADIUS Calling-Station-ID Attribute.

Use Case: You want to integrate Mobile Devices into your corporate Wifi secured via certificate (EAP-TLS). The mentioned feature would avoid the user to export the certificate and import it on a own device (as long as the MAC is not spoofed).

Are there any other ideas to realize this use case?

Best Regards

4 replies

Userlevel 2
Hi Michael, I am going to run this through our product management group and have someone respond shortly. Thanks for the suggestion!
We will take this request into consideration but would like to hear from our users on this request.
The certificate could be generated with a private key that is not allowed to be exported. But this doesn't help in any circumstance and makes backups of the certificates more complicated for administrators. The suggested solution is a good way to improve this issue.
Some customers fear that their users export their smartphone certificates and install them unto their own devices to get full access to the network. Solution today is to implement non-exportable certificates, so no 802.1X for smartphones (or similar).

It would be easier, if it was possible to match the MAC and a certificate attribute for certain device types (of the customers choosing). Especially if there was an alarm/trap/etc, when this match fails.