Why MAB lives inside a Group
It’s tempting to look for a “MAB Group” in the Create Group dropdown. There isn’t one. MAB is a fallback mechanism, not an audience — the real question is always “which network policy should this MAC get”, and that policy is precisely what a Group’s Attribute Profile already encodes. Putting MAB inside a Group gives you:- One place per audience. The Group for Factory Workstations authorizes the factory’s cert-auth’d workstations and the printer on the same switchport. Both land on the factory VLAN via the Group’s Attribute Profile.
- One audit trail. MAB adds / removes show up in the same audit as the Group’s other configuration changes.
- No second tier of policy. MAB devices share the Attribute Profile — nothing else to configure, nothing to miss.
Why Device-Cert Groups are the usual home
The MAB tab is available on every Dot1x Group type, but the most common place it’s actually populated is inside Device-Cert Groups. Three reasons:- Shared network infrastructure. Factory workstations (cert) and the printer on the same switchport (MAB) usually want the same VLAN. A single Device-Cert Group’s Attribute Profile delivers that policy to both.
- Static fleets. Headless gear (printers, phones, BMS panels) turns over slowly and is inventoried by device, not by user. The Device-Cert model — “this device is authorized” — fits that mental model, and MAB is just the degenerate case where the device can’t carry a cert.
- Contractor hygiene. PEAP Groups typically serve per-firm contractor audiences. Keeping printer MACs out of the consulting firm’s Group is cleaner governance — the contractor’s lead doesn’t need to see (or accidentally edit) infrastructure devices.
When to use MAB
Headless gear that shares network infrastructure with your 802.1X-authenticated devices:- Printers on the same VLAN as factory workstations.
- VoIP phones behind switchports alongside 802.1X laptops.
- Sensors and barcode scanners that can’t run a supplicant.
- BMS / HVAC / access-control panels from vendors who’ve never heard of 802.1X.
- Legacy appliances you’re not replacing this quarter.
Populating the MAB Device List
Click Add MAC
Paste the MAC. EntryPoint normalises the format — colons, dashes,
plain hex all work — but the authoritative stored form is
lowercase, colon-separated.
(Optional) Add a Description
Reception floor printer, Server-room thermostat. Helps future-
you identify the device in audits and in the list view.
MAC format — a recurring footgun
Inventory spreadsheets vary: some useaa:bb:cc:dd:ee:ff, some
AA-BB-CC-DD-EE-FF, some AABBCCDDEEFF. EntryPoint normalises them on
input, but the one thing to watch is copy-paste errors — a missing
character, a stray whitespace, a l substituted for a 1. When a
device rejects that was supposed to be on MAB, re-check the MAC
character-by-character against the actual device’s MAC.
RADIUS response — same Attribute Profile
A MAB authentication returns the Group’s Attribute Profile on Access-Accept, exactly like a certificate authentication does. If the Group’s Profile puts certificate devices on VLAN 510, MAB devices land on VLAN 510 too. Same SGT, same tunnel attributes. This is what makes the Device-Cert Group the natural home for MAB — the authorisation policy is the Group, and MAB is just a different way for a device to reach Access-Accept.Don’t MAB personal devices
Phones and laptops in modern OSes randomise their MAC per SSID and (on some OS versions) per session. A MAB entry added yesterday won’t match today’s MAC. Use MAB only for equipment you control — printers, VoIP phones, sensors, panels. For personal devices, put the user on PEAP (password auth) or give them a user cert (EAP-TLS).Lifecycle — add, update, remove
- Add. As above.
- Update. Click a row to change the description. MAC is immutable — a different MAC means a different entry.
- Remove. Delete the row; the device is rejected on next attempt.
- Bulk changes. For large fleets (many printers at once), the admin UI’s paste-on-create flow accepts multi-line input; check the Add MAC dialog on your Context for the most current paste support.
Audit and operational tips
- Name each MAC meaningfully. Reception printer, Server-room HVAC panel, BMS gateway. Months later, only the Description will tell you what the MAC is.
- Review quarterly. Printers get replaced, sensors retired, vendors swap out. Stale MAB entries grow stale silently — they don’t fail loudly until the original device comes back on the network (or an attacker spoofs the retired MAC).
- Keep MAB devices on the same Attribute Profile as the certs. Splitting printers onto a separate Group solely so they have a “MAB Group” defeats the whole point; the Group is the policy unit.
Troubleshooting
- MAB entry added, device still rejected. Most common cause: the WLAN controller / switch isn’t configured to fall back to MAB when 802.1X fails. Verify the network equipment is sending MAB packets at all (packet capture on the RADIUS flow reveals this quickly).
- MAC format mismatch. Re-copy the MAC from the device’s own display (not from the inventory spreadsheet) and re-enter.
- Device appears authenticated but lands on the wrong VLAN. Verify the Group’s Attribute Profile — same cause as for certificate authentications.
Related
Device certificates & Intune
The parent Group type that hosts the MAB list.
Attribute Profiles
What MAB devices inherit alongside cert’d devices.
RADIUS clients
The network-side prerequisite for MAB (fallback from 802.1X).
EntryPoint diagnostics
The whole-picture failure-mode walk-through.