One thing missing in the current document is how to address the modern issue of MAC address randomization.
i.e. admins would like to ensure that only certain devices access the network. But with MAC address randomization, it's difficult to have a static device identifier. Even client certificates can be installed on multiple machines, if they're just sent to the user. Would it be worth adding a note that systems SHOULD implement RFC 6677 channel bindings to address this issue? And that the Calling-Station-Id inside of the channel bindings MUST be the actual physical MAC, and not the public / randomized MAC? I've seen this problem more and more in customer deployments. It's becoming a serious security issue. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
