Skip to content
EAP-TLS — Device cert

Device-cert groups & MAB

A device-certificate group collects the devices that share a network policy. EntryPoint decides which group a device belongs to from a value in its certificate, applies the group’s Attribute Profile, and — on the same group — can admit headless gear by MAC address.

When a device presents its certificate, EntryPoint validates the chain against the context’s trusted CAs and then resolves the device to a group. A certificate group identifier on each group is matched against a value in the certificate, typically an organizational unit in the subject or a custom extension written by the PKI. This lets one issuing CA serve several groups: a single corporate PKI can issue certificates for kiosks, factory workstations, and managed laptops through the same intermediate, and the identifier on each group is what routes a given certificate to the right group.

Each group carries an Attribute Profile that defines the network policy returned on success — a VLAN through tunnel attributes, or a Cisco security group tag. Where the context has an Entra connection, a group can also be mapped to an Entra device group, and Intune device-compliance can be required.

MAC Authentication Bypass appears as a MAB Device List on the Dot1x groups, and device-certificate groups are its usual home. Gear that cannot present a certificate — printers, IP phones, sensors — is listed by MAC address; a listed device authenticates by its MAC and inherits the same Attribute Profile as the certificate-authenticated devices in the group.

A few operational points apply:

  • MAC address formatting is the most common source of mismatches; the address must be entered in the format the list expects.
  • MAB trusts only the MAC address, which is weaker than a certificate, so it is meant for headless equipment — not for personal devices, which should authenticate with a certificate or a password instead.
  • Listed devices are added, updated, and removed over the device’s lifecycle.

A lost or decommissioned device is cut off by revoking its certificate; with a CRL endpoint configured, EntryPoint stops admitting it without affecting the rest of the group. A MAB-listed device is retired by removing its entry from the list.

Next