Windows 10 Random Mac Address

Phil Mayers p.mayers at
Tue Sep 1 12:44:14 CEST 2015

On 29/08/15 14:36, Alan DeKok wrote:

> For personal security and privacy, it's a good idea.  The end device
> can still be identified via other means, but they're not as good /
> unique.

Their implementation is pretty good - sticky per SSID until the network 
is forgotten/reconfiged or "daily", randomised for probes to avoid 
geographical tracking.

I think it's a non-issue for wireless network in general. *Those* 
clients should be using 802.1x anyway (but see below).

> MAC auth was always a hack.  People should use 802.1X instead.

True, but even on 802.11, there's plenty of kit that doesn't support 
802.1x - games consoles, smart TVs and other entertainment boxes are a 
great example.

In "dense" network environments e.g. student residences, you can either:

  1. Deploy a separate WPA PSK SSID per-customer (!) and hand out the 
PSK manually - lots of beacon frames, horrible RF performance

  2. Use a single WPA PSK SSID and key the PSK off the client MAC address

  3. Don't use WPA

  4. Don't let the devices on the network

It's also worth pointing out that we're a long way from 802.1x being 
usable on wired networks in unmanaged/BYOD/public access areas - there's 
a bunch of caveats, ranging from wired 802.1x supplicants being disabled 
by default on most OSes (and wired ethernet lacking a link-layer 
handshake protocol like 802.11 to signal use of 802.1x) to switch 
vendors having terrible implementations e.g. "wait 3 EAP timeouts before 
fallback to MAC auth", which can be 60 seconds, in which time your old 
print server / CCTV device / BEMS/SCADA system has fallen silent and 
needs manual intervention.

MAC auth in general will be around for a while I fear :o(

More information about the Freeradius-Users mailing list