https://community.extremenetworks.com/t5/analytics-visibility/iam-nac-binding-of-certificate-and-mac-address/m-p/51733#M67 Some customers fear that their users export their smartphone certificates and install them unto their own devices to get full access to the network. Solution today is to implement non-exportable certificates, so no 802.1X for smartphones (or similar). <BR /> <BR /> It would be easier, if it was possible to match the MAC and a certificate attribute for certain device types (of the customers choosing). Especially if there was an alarm/trap/etc, when this match fails. <BR /> Thu, 09 Jan 2014 15:31:00 GMT Barbara_Günther 2014-01-09T15:31:00Z https://community.extremenetworks.com/t5/analytics-visibility/iam-nac-binding-of-certificate-and-mac-address/m-p/51729#M63 I experience the customer need for a feature where you can bind the Subject of the Certificate to the MAC Address. For example CN=00-11-22-33-44-55 and RADIUS Calling-Station-ID Attribute. <BR /> <BR /> Use Case: You want to integrate Mobile Devices into your corporate Wifi secured via certificate (EAP-TLS). The mentioned feature would avoid the user to export the certificate and import it on a own device (as long as the MAC is not spoofed).<BR /> <BR /> Are there any other ideas to realize this use case?<BR /> <BR /> Best Regards<BR /> Michael<BR /> Wed, 27 Nov 2013 03:03:00 GMT https://community.extremenetworks.com/t5/analytics-visibility/iam-nac-binding-of-certificate-and-mac-address/m-p/51729#M63 Michael_Kirchne 2013-11-27T03:03:00Z https://community.extremenetworks.com/t5/analytics-visibility/iam-nac-binding-of-certificate-and-mac-address/m-p/51730#M64 Hi Michael, I am going to run this through our product management group and have someone respond shortly. Thanks for the suggestion! Mon, 02 Dec 2013 19:19:00 GMT https://community.extremenetworks.com/t5/analytics-visibility/iam-nac-binding-of-certificate-and-mac-address/m-p/51730#M64 Tamera_Rousseau 2013-12-02T19:19:00Z https://community.extremenetworks.com/t5/analytics-visibility/iam-nac-binding-of-certificate-and-mac-address/m-p/51731#M65 We will take this request into consideration but would like to hear from our users on this request. Tue, 17 Dec 2013 01:05:00 GMT https://community.extremenetworks.com/t5/analytics-visibility/iam-nac-binding-of-certificate-and-mac-address/m-p/51731#M65 Kafel__Ali 2013-12-17T01:05:00Z https://community.extremenetworks.com/t5/analytics-visibility/iam-nac-binding-of-certificate-and-mac-address/m-p/51732#M66 The certificate could be generated with a private key that is not allowed to be exported. But this doesn't help in any circumstance and makes backups of the certificates more complicated for administrators. The suggested solution is a good way to improve this issue. Thu, 09 Jan 2014 15:24:00 GMT https://community.extremenetworks.com/t5/analytics-visibility/iam-nac-binding-of-certificate-and-mac-address/m-p/51732#M66 Max_Zöller 2014-01-09T15:24:00Z https://community.extremenetworks.com/t5/analytics-visibility/iam-nac-binding-of-certificate-and-mac-address/m-p/51733#M67 Some customers fear that their users export their smartphone certificates and install them unto their own devices to get full access to the network. Solution today is to implement non-exportable certificates, so no 802.1X for smartphones (or similar). <BR /> <BR /> It would be easier, if it was possible to match the MAC and a certificate attribute for certain device types (of the customers choosing). Especially if there was an alarm/trap/etc, when this match fails. <BR /> Thu, 09 Jan 2014 15:31:00 GMT https://community.extremenetworks.com/t5/analytics-visibility/iam-nac-binding-of-certificate-and-mac-address/m-p/51733#M67 Barbara_Günther 2014-01-09T15:31:00Z