Security

Dear Community,

I have a customer with the following requirements. 

• Authenticate windows clients via MAC address only (MAB).
• Posture check via Onguard Agent

Would like to check if above is the correct way to deploy?

-------------------------------------------

You can do it, but is it a "best practice approach?", no it's not.

You should consider that MAC Authentication Bypass (MAB) uses MAC addresses which are trivial to spoof, especially on Windows. There is no cryptographic binding between the device, the user, and the network. MAB is mostly suitable only for non-802.1X-capable devices (printers, cameras, IoT). 
For Windows, you can run on EAP-TLS or EAP-TEAP (EAP-Chaining). 
EAP-TLS would be a Certificate-based authentication which can be considered as resistant to credential theft, replay, and spoofing. It works natively with Windows.
EAP-TEAP  on other hand uses the combination of machine & user authentication in a single flow. It supports certificate-based authentication  & credential or cert-based user authentication. 

------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.
------------------------------

Totally agree with this^ Why not use EAP-TLS or TEAP?

-------------------------------------------

Original Message:
Sent: Jan 20, 2026 12:52 AM
From: shpat
Subject: Authenticate windows clients via MAC address only (MAB) Posture check

You can do it, but is it a "best practice approach?", no it's not.

You should consider that MAC Authentication Bypass (MAB) uses MAC addresses which are trivial to spoof, especially on Windows. There is no cryptographic binding between the device, the user, and the network. MAB is mostly suitable only for non-802.1X-capable devices (printers, cameras, IoT). 
For Windows, you can run on EAP-TLS or EAP-TEAP (EAP-Chaining). 
EAP-TLS would be a Certificate-based authentication which can be considered as resistant to credential theft, replay, and spoofing. It works natively with Windows.
EAP-TEAP  on other hand uses the combination of machine & user authentication in a single flow. It supports certificate-based authentication  & credential or cert-based user authentication. 

------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.
------------------------------

Hi.

I must agree with @shpat. MAB will provide the customer with false sense of security. As they already have a Clearpass, use EAP-something to authenticate clients that supports it. Preferred options are certificate based. Usually the "scariest" part is CA deployment and certificate lifecycle. When certificates are taken care off other things are much easier.

Best, Gorazd 

------------------------------
Gorazd Kikelj
MVP Guru 2025
------------------------------

Hi Team,

 As mentioned above it is not best practice approach ? but MAB + Posture Can we do for Both Wired & Wireless client?

-------------------------------------------

Original Message:
Sent: Jan 21, 2026 03:10 AM
From: GorazdKikelj
Subject: Authenticate windows clients via MAC address only (MAB) Posture check

Hi.

I must agree with @shpat. MAB will provide the customer with false sense of security. As they already have a Clearpass, use EAP-something to authenticate clients that supports it. Preferred options are certificate based. Usually the "scariest" part is CA deployment and certificate lifecycle. When certificates are taken care off other things are much easier.

Best, Gorazd 

------------------------------
Gorazd Kikelj
MVP Guru 2025
------------------------------

Yes. 

------------------------------
Gorazd Kikelj
MVP Guru 2025
------------------------------

Original Message:
Sent: Feb 06, 2026 12:45 AM
From: omkar@aadnya.in
Subject: Authenticate windows clients via MAC address only (MAB) Posture check

Hi Team,

 As mentioned above it is not best practice approach ? but MAB + Posture Can we do for Both Wired & Wireless client?