I'd like to allow iPads to connect to Cisco VPN using EAP-PEAP. To keep non-corporate devices from connecting by using their credentials, I'd like to confirm some of the endpoint details. Problem is, the wifi MAC is not sent in the RADIUS message, so the endpoint attributes are not shown. I need to figure out how to identify the iPad when it connects so I can allow/disallow it.
One thing I noticed is that the UDID of the iPad is sent as a Cisco AV Pair attribute. I'm wondering if I could somehow leverage this. The endpoint repository already has this attribute since ClearPass syncs with the devices' MDM server. Is there anyway to take the AV Pair attribute from the request, search for it in the endpoint repository, and then confirm that device is enrolled in MDM?
Other ideas are welcome. Thank you.