Extreme Networks

The process of binding doesn't stop them from binding to an inappropriate device, so you'd have to unbind them if they use the credentials on the wrong device initially. Unbinding would have to be done at an admin level, and you can do this with a CLI command if we're just trying to unbind one individual user. The student wouldn't have control over the devices that were bound to their credentials, so they'd have to come to the IT team to get that fixed. They will just see their login rejected, there isn't a message sent to them or the IT admin that the credentials are already locked to a specific address.

This command would show what MAC addresses are bound with which credentials: _test auth mac-bind show <ssid profile name> <mac address> 

This command could unbind a MAC from specific credentials: exec auth <SSID> ppsk-mac-unbinding mac-ppsk <mac-address> <password>

thank you for looking into it so thoroughly. I suspected there wasn't going to be any way to stop them short of it being done at the radius level.

Binding ppsk isn't really an option as with 600 students there is a high turnover of personal hardware, things get broken constantly and lots of temp borrowed devices, constant upgrades of personal devices etc.

I could see binding working in a corp environment where you could sight and list all the devices by macaddress but how does binding not stop someone from registering their phone as their first device by mistake causing complete confusion. What is the process of binding or unbinding, does the student have control of their account and can remove an old device freeing up their account like the way paid streaming services let you manage your devices list or does it have to be done from an admin level. Does the student or even the admin get notification that the access is locked to xxxaddress when troubleshooting and how hard is it to remove the binding. can't find documentation on that part.

We have tried Locking ppsk to 2-3 devices per user previously and it works to a point but is still abused by students.

radius with a dead user profile works to the best result for us and in classic wasn't an issue. its just the dashboard and reporting of the new system that now looks bad overall due to the locked devices affecting the scores.

If that could be ignored somehow I'd be happier but at least the system is working very well.

I reviewed this question with our experts and the only way to stop them from registering in your reporting would be to stop them from authenticating in the first place. They have to authenticate to get a user profile assigned to them, so any rules in the user profile would come after they are already authenticated to the network. Have you considered a PPSK option? I'm not sure what you're using now, but if you want to use PPSK we have options like binding the PPSK credentials to specific devices, so even if they enter the correct credentials on their mobile devices, they wouldn't be able to log on. Does that should like what you're looking for?