Device Management

Overview

Device management in IronWiFi covers registering known devices, authenticating by MAC address, managing device lifecycles, and enforcing BYOD (Bring Your Own Device) policies. Whether you are onboarding corporate laptops, registering IoT sensors, or allowing employees to use personal devices, IronWiFi provides the RADIUS-based tools to control which devices access your network.

Device Authentication Methods

Comparison

Method	Security	User Experience	Best For
802.1X (EAP-TLS)	Highest	Seamless after setup	Managed devices with certificates
802.1X (PEAP)	High	Username/password prompt	Mixed device environments
MAC Authentication	Basic	Automatic (no user action)	IoT, printers, legacy devices
Captive Portal	Moderate	Requires web interaction	Guest devices, BYOD

When to Use MAC Authentication

MAC authentication (also called MAC Authentication Bypass or MAB) is used for devices that cannot perform 802.1X authentication:

• IoT devices -- Sensors, cameras, building automation
• Printers and scanners -- Network peripherals
• Legacy equipment -- Older devices without 802.1X supplicants
• Audio/video systems -- Conference room displays, smart TVs
• Medical devices -- Infusion pumps, patient monitors (see Healthcare Solutions)

warning

MAC addresses can be spoofed. Do not rely on MAC authentication as the sole security control for networks carrying sensitive data. Place MAC-authenticated devices on a dedicated VLAN with restrictive firewall rules.

Device Registration

Registering Devices via IronWiFi Console

Register a device for MAC authentication:

1. Navigate to Users in the IronWiFi Console
2. Click Create User
3. Configure the device entry:

Field	Value
Username	Device MAC address (format: aa-bb-cc-dd-ee-ff )
Password	Same MAC address ( aa-bb-cc-dd-ee-ff )
Full Name	Device description (e.g., "Lobby Printer - HP LaserJet")
Group	Assign to the appropriate device group

4. Click Save

note

The MAC address format depends on your AP vendor. Common formats are

aa-bb-cc-dd-ee-ff

(hyphenated),

aa:bb:cc:dd:ee:ff

(colon-separated), or

aabbccddeeff

(no separator). Check your AP's RADIUS logs to see which format it sends.

MAC Address Formats by Vendor

AP Vendor	Format Sent in RADIUS	Example
Cisco/Meraki	aabb.ccdd.eeff	a1b2.c3d4.e5f6
Ubiquiti UniFi	aa:bb:cc:dd:ee:ff	a1:b2:c3:d4:e5:f6
Aruba	aabbccddeeff	a1b2c3d4e5f6
MikroTik	AA:BB:CC:DD:EE:FF (uppercase)	A1:B2:C3:D4:E5:F6
Ruckus	AA-BB-CC-DD-EE-FF (uppercase)	A1-B2-C3-D4-E5-F6

Important: The username and password in IronWiFi must match the exact format your AP sends. Check the authentication logs in the IronWiFi Console to verify the format.

Bulk Device Registration

For registering many devices at once:

CSV Import

1. Prepare a CSV file with device entries:

2. Navigate to Users > Import
3. Upload the CSV file
4. Review and confirm the import

API-Based Registration

For automated device registration workflows:

See the REST API documentation for complete documentation.

Device Groups and Policies

Creating Device Groups

Organize devices into groups with shared policies:

1. Navigate to Users > Groups
2. Click Add Group
3. Create groups based on device type or security requirements:

IoT Devices Group:

Printers Group:

Corporate Laptops Group:

Policy Hierarchy

When a device belongs to multiple groups, attribute precedence applies:

1. User-level attributes override group-level attributes
2. Group priority determines which group's attributes take precedence when groups conflict
3. First match for check attributes

See Groups and Attributes for details on attribute precedence.

Device Lifecycle Management

Device Onboarding Workflow

Establish a standard process for adding new devices to the network:

Enabling and Disabling Devices

Temporarily disable a device without deleting its registration:

1. Navigate to Users > search for the device (by MAC address)
2. Open the device entry
3. Set Status to Disabled
4. Click Save

The device is immediately denied authentication. Re-enable by setting Status back to Enabled.

Decommissioning Devices

When a device is permanently retired:

1. Navigate to Users > search for the device
2. Disable the device first (to immediately block access)
3. Record the device details for audit purposes
4. Delete the user entry
5. Update your asset management system

Device Validity Periods

Set automatic expiration for temporary or contractor devices:

1. Navigate to Users > select the device entry
2. Set Valid From and Valid To dates
3. The device automatically stops authenticating after the Valid To date

BYOD Policies

BYOD Architecture with IronWiFi

BYOD Registration Options

Method	User Experience	Security	Control
Self-Service Portal	User registers their device via captive portal	Moderate	Device MAC recorded
Sponsored Access	Manager approves the device	High	Approval workflow
MDM Enrollment	User installs MDM profile	Highest	Full device management
Admin Registration	IT manually registers the device	High	Full control

Self-Service BYOD Registration

Allow employees to register their personal devices:

1. Create a captive portal for BYOD registration:

   • Navigate to Captive Portals > Create Portal
   • Authentication: SAML (so employees use their corporate credentials)
   • Enable device registration (MAC address is captured automatically)

2. The employee connects to the BYOD SSID

3. The captive portal redirects them to authenticate with corporate credentials

4. After authentication, the device's MAC address is registered in IronWiFi

5. On subsequent connections, the device authenticates via MAC + RADIUS

BYOD Bandwidth Policies

Apply different bandwidth policies to personal vs. corporate devices:

BYOD Device Group:

Corporate Device Group:

BYOD Security Considerations

1. Network isolation -- Place BYOD devices on a separate VLAN from corporate resources
2. Limited access -- BYOD VLAN should only access the internet, not internal servers
3. Bandwidth limits -- Prevent BYOD devices from consuming excessive bandwidth
4. Session limits -- Limit concurrent BYOD devices per user (e.g., 2)
5. Expiration -- Set validity periods so registrations expire and must be renewed

Private MAC Address Handling

The Private MAC Address Challenge

Modern operating systems use random (private) MAC addresses to protect user privacy:

• iOS 14+ -- Private WiFi Address enabled by default
• Android 10+ -- Randomized MAC per network
• Windows 10/11 -- Random hardware addresses option

This breaks MAC-based authentication because the device presents a different MAC each time.

Solutions for Private MAC Addresses

Solution	Approach	Drawback
Disable private MAC	Instruct users to disable private MAC for your network	Requires user action
MDM enforcement	Push WiFi profile with MAC randomization disabled	Only works for managed devices
802.1X authentication	Use username/password or certificates instead of MAC	Requires 802.1X supplicant
Accept random MACs	Register the random MAC instead of the real one	MAC changes if network is forgotten

Disabling Private MAC (User Instructions):

iOS:

1. Settings > WiFi
2. Tap the (i) next to the network name
3. Toggle off Private WiFi Address
4. Rejoin the network

Android:

1. Settings > WiFi
2. Long-press the network name > Modify network
3. Set Privacy to Use device MAC
4. Save and reconnect

Windows:

1. Settings > Network & Internet > WiFi
2. Click the network properties
3. Set Random hardware addresses to Off

tip

For managed devices, push a WiFi profile via MDM that disables MAC randomization for your network. This avoids relying on users to change settings manually.

Monitoring and Reporting

Device Authentication Monitoring

Track device authentication activity:

1. Navigate to Logs > Authentication Logs
2. Filter by the device group or specific MAC addresses
3. Review:
   • Successful vs. failed authentications
   • Authentication frequency
   • Unusual access times
   • Unknown MAC addresses attempting authentication

Device Inventory Report

Maintain an up-to-date device inventory:

1. Navigate to Users
2. Filter by device groups
3. Export the list for asset management
4. Cross-reference with your organization's device inventory

Detecting Unauthorized Devices

Monitor for devices that are not registered but attempt to authenticate:

1. Review authentication failures in the logs
2. Filter for MAC-related rejections
3. Investigate unknown MAC addresses
4. Register legitimate devices or investigate potential security incidents

Device Management Best Practices

Registration

1. Standardize MAC format -- Use the same format consistently (match your AP vendor's format)
2. Descriptive names -- Include device type, location, and model in the full name
3. Group everything -- Always assign devices to groups for consistent policy
4. Set validity periods -- Temporary devices should have expiration dates
5. Use bulk import -- Register many devices at once via CSV for large deployments

Security

1. Dedicated VLANs -- MAC-authenticated devices should be on isolated VLANs
2. Firewall rules -- Restrict what MAC-authenticated VLANs can access
3. Prefer 802.1X -- Use certificate or password authentication when the device supports it
4. Monitor for spoofing -- Watch for MAC addresses appearing from unexpected locations
5. Regular audits -- Review registered devices quarterly, remove decommissioned ones

Lifecycle

1. Document the process -- Create clear procedures for device onboarding and decommissioning
2. Assign ownership -- Every device should have an owner or responsible department
3. Automate where possible -- Use the API for automated registration and deregistration
4. Integrate with ITAM -- Sync device registrations with your IT Asset Management system
5. Plan for scale -- Use groups and automation for deployments with hundreds of devices

Troubleshooting

Device Cannot Authenticate via MAC

Cause	Solution
MAC format mismatch	Check AP logs for the exact format sent; update the user entry to match
Device using private/random MAC	Disable private MAC address on the device (see above)
User entry disabled	Enable the device user entry in the IronWiFi Console
Wrong group or missing attributes	Verify the device is in the correct group with reply attributes
AP not configured for MAB	Enable MAC Authentication Bypass on the AP/controller

Device Gets Wrong VLAN

Cause	Solution
Missing VLAN attributes	Add Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-Id to the group
Group attribute conflict	Check if the device belongs to multiple groups with different VLAN assignments
AP does not support dynamic VLAN	Verify your AP supports RADIUS-assigned VLANs
VLAN does not exist on switch	Create the VLAN on the switch/controller that the AP connects to

Registered Device Rejected

1. Check the authentication logs for the rejection reason
2. Verify the MAC address format matches exactly
3. Confirm the device user entry is enabled
4. Check validity dates (Valid From / Valid To)
5. Verify the group has the correct attributes

Related Topics

• Users -- User account management (devices are registered as users)
• Groups -- Group policies for device categories
• Attributes -- RADIUS attributes for VLAN and bandwidth
• Session Management -- Session timeouts for devices
• Bandwidth Management -- Bandwidth policies for device groups
• Troubleshooting -- MAC authentication troubleshooting
• Healthcare Solutions -- Medical device WiFi
• Configuration Guides -- AP vendor-specific MAB configuration