MAC address Randomization

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

MAC address Randomization

Eric Aguilar
Hello!

I wanted to exchange some ideas on the impact we will all have on the MAC
address randomization being implemented as an enabled by default feature on
iOS14 Apple Devices (https://support.apple.com/en-us/HT211227).

Some authentication procedures on our networks are based on the MAC address
so I think the impact is going to be huge and certainly, analytics and
accounting will be impacted as well.

¿What are your thoughts on this?
¿What are some workarounds we should implement? ¿are there any?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: MAC address Randomization

Alan DeKok-2
On Jul 28, 2020, at 3:50 PM, Eric Aguilar <[hidden email]> wrote:
> I wanted to exchange some ideas on the impact we will all have on the MAC
> address randomization being implemented as an enabled by default feature on
> iOS14 Apple Devices (https://support.apple.com/en-us/HT211227).
>
> Some authentication procedures on our networks are based on the MAC address
> so I think the impact is going to be huge and certainly, analytics and
> accounting will be impacted as well.

  Yes.  It will become more difficult to track individual devices.

> ¿What are your thoughts on this?

  Mixed.  If you're on a public network, MAC address randomization is good for the user.  If you're on a private network, then MAC address randomization is bad for the admins.

  Apple should really allow it to be configured per SSID, or even as part of any certificate the device uses for authentication.

> ¿What are some workarounds we should implement? ¿are there any?

  Move to EAP-TLS with client certificates.  But the user can still install the same client cert on multiple devices.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: MAC address Randomization

Peter Lambrechtsen-4
I personally don't think it's going to be a large issue for admins /
operators.

Just stop using MAC addresses for authentication and move to one of the
various EAP solutions.

or

If you need to maintain MAC address auth add to your onboarding or captive
portal process for the end users a prompt "We see you're coming from an iOS
device so please make sure in the advanced settings turn off the MAC
address randomisation setting for this Wireless network, otherwise if you
disconnect and reconnect you will need to login again" and include a
screenshot showing how to turn the setting off.

I think it will be far more of an issue in residential broadband
environments with some routers having (extremely unfortunate) limits of 32
active devices with 7 day DHCP leases and when devices connect / disconnect
you could easily max out the connections.

On Wed, Jul 29, 2020 at 7:58 AM Alan DeKok <[hidden email]>
wrote:

> On Jul 28, 2020, at 3:50 PM, Eric Aguilar <[hidden email]> wrote:
> > I wanted to exchange some ideas on the impact we will all have on the MAC
> > address randomization being implemented as an enabled by default feature
> on
> > iOS14 Apple Devices (https://support.apple.com/en-us/HT211227).
> >
> > Some authentication procedures on our networks are based on the MAC
> address
> > so I think the impact is going to be huge and certainly, analytics and
> > accounting will be impacted as well.
>
>   Yes.  It will become more difficult to track individual devices.
>
> > ¿What are your thoughts on this?
>
>   Mixed.  If you're on a public network, MAC address randomization is good
> for the user.  If you're on a private network, then MAC address
> randomization is bad for the admins.
>
>   Apple should really allow it to be configured per SSID, or even as part
> of any certificate the device uses for authentication.
>
> > ¿What are some workarounds we should implement? ¿are there any?
>
>   Move to EAP-TLS with client certificates.  But the user can still
> install the same client cert on multiple devices.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html