Device-cert groups & MAB
A device-certificate group collects the devices that share a network policy. EntryPoint decides which group a device belongs to from a value in its certificate, applies the group’s Attribute Profile, and — on the same group — can admit headless gear by MAC address.
Matching a device to a group
Section titled “Matching a device to a group”When a device presents its certificate, EntryPoint validates the chain against the context’s trusted CAs and then resolves the device to a group. A certificate group identifier on each group is matched against a value in the certificate, typically an organizational unit in the subject or a custom extension written by the PKI. This lets one issuing CA serve several groups: a single corporate PKI can issue certificates for kiosks, factory workstations, and managed laptops through the same intermediate, and the identifier on each group is what routes a given certificate to the right group.
Each group carries an Attribute Profile that defines the network policy returned on success — a VLAN through tunnel attributes, or a Cisco security group tag. Where the context has an Entra connection, a group can also be mapped to an Entra device group, and Intune device-compliance can be required.
MAB fallback for headless gear
Section titled “MAB fallback for headless gear”MAC Authentication Bypass appears as a MAB Device List on the Dot1x groups, and device-certificate groups are its usual home. Gear that cannot present a certificate — printers, IP phones, sensors — is listed by MAC address; a listed device authenticates by its MAC and inherits the same Attribute Profile as the certificate-authenticated devices in the group.
A few operational points apply:
- MAC address formatting is the most common source of mismatches; the address must be entered in the format the list expects.
- MAB trusts only the MAC address, which is weaker than a certificate, so it is meant for headless equipment — not for personal devices, which should authenticate with a certificate or a password instead.
- Listed devices are added, updated, and removed over the device’s lifecycle.
Revocation and device retirement
Section titled “Revocation and device retirement”A lost or decommissioned device is cut off by revoking its certificate; with a CRL endpoint configured, EntryPoint stops admitting it without affecting the rest of the group. A MAB-listed device is retired by removing its entry from the list.
Related sections
Section titled “Related sections”- EAP-TLS — Device certificate overview.
- Certificates & PKI: trusted CAs and revocation.
- EAP-TLS with Entra: the user-certificate variant.