I need to only allow a device to onboard if the user is authorized to do so and if the device is corporately owned. I currently have this working via combination of AD user and static host list. I received a request to key off of the device IMEI instead of MAC contained in the static host list. I know that it can be matched using a RADIUS: Aruba condition in a mapping rule, but I'm going to have a very large number of devices. Adding each device IMEI as a condition just isn't realistic in my opinion.
Ultimately, it comes down to being sure that we know the device being onboarded should be on the network. Since MACs can be spoofed, I need to consider what options I have to say with a large degree of certainty that only our assets are on the network.