MAC address Randomization

Peter Lambrechtsen peter at crypt.nz
Tue Jul 28 23:10:55 CEST 2020


I personally don't think it's going to be a large issue for admins /
operators.

Just stop using MAC addresses for authentication and move to one of the
various EAP solutions.

or

If you need to maintain MAC address auth add to your onboarding or captive
portal process for the end users a prompt "We see you're coming from an iOS
device so please make sure in the advanced settings turn off the MAC
address randomisation setting for this Wireless network, otherwise if you
disconnect and reconnect you will need to login again" and include a
screenshot showing how to turn the setting off.

I think it will be far more of an issue in residential broadband
environments with some routers having (extremely unfortunate) limits of 32
active devices with 7 day DHCP leases and when devices connect / disconnect
you could easily max out the connections.

On Wed, Jul 29, 2020 at 7:58 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Jul 28, 2020, at 3:50 PM, Eric Aguilar <agueric at gmail.com> wrote:
> > I wanted to exchange some ideas on the impact we will all have on the MAC
> > address randomization being implemented as an enabled by default feature
> on
> > iOS14 Apple Devices (https://support.apple.com/en-us/HT211227).
> >
> > Some authentication procedures on our networks are based on the MAC
> address
> > so I think the impact is going to be huge and certainly, analytics and
> > accounting will be impacted as well.
>
>   Yes.  It will become more difficult to track individual devices.
>
> > ¿What are your thoughts on this?
>
>   Mixed.  If you're on a public network, MAC address randomization is good
> for the user.  If you're on a private network, then MAC address
> randomization is bad for the admins.
>
>   Apple should really allow it to be configured per SSID, or even as part
> of any certificate the device uses for authentication.
>
> > ¿What are some workarounds we should implement? ¿are there any?
>
>   Move to EAP-TLS with client certificates.  But the user can still
> install the same client cert on multiple devices.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list