It's hardly any worse than creating AD user accounts where the password equals the username and that string is almost always printed on the device itself somewhere.
Regardless, of what best practices should be, I was merely looking for some technical guidance on the best way to procede. Can you confirm that I can implement mac auth chained with PEAP using FreeRADIUS where aruba is the client and AD is used to authenticate PEAP while something else (LDAP, PostgreSQL, a file, whatever) is used to authenticate mac address?
My goal for the authentication to go as follows:
Wireless device joins SSID, first the MAC address is checked to see if it is whitelisted, if it is then the device is joined, if it isn't, then a username/password (PEAP) is expected from the client to be authenticated against AD.
Thanks.