We are using SBR 6/1 and currently using EAP-PEAP with a certificate. I'm trying to lock down access even further by doing one of two things:
1) Limit access to only the enterprise's brands MAC address. I think Ican do this in a profile with a Check List, but am not sure what parameters I would need to add. And can I even specify that clients must meet the requirement of the first part of a MAC? 0011:ffff:* for example.
2) Can I make it where the radius certificate has to be preloaded on the machine, so clients connecting with mobile phones dont get a prompt to download the certificate?
Hello, yes, you can limit the allowed user based on MAC address. The radius attribute of 'calling-station-id'.
However, since you are using EAP-PEAP, you will need to create a request filter to move the 'calling-station-id' inside of the PEAP tunnel. If you do not do this, you will not be able to filter the MAC address. You have to ALLOW the 'calling-station-id' attribute as part of the filter.