Windows 10 Random Mac Address
Phil Mayers
p.mayers at imperial.ac.uk
Tue Sep 1 12:44:14 CEST 2015
On 29/08/15 14:36, Alan DeKok wrote:
> For personal security and privacy, it's a good idea. The end device
> can still be identified via other means, but they're not as good /
> unique.
Their implementation is pretty good - sticky per SSID until the network
is forgotten/reconfiged or "daily", randomised for probes to avoid
geographical tracking.
I think it's a non-issue for wireless network in general. *Those*
clients should be using 802.1x anyway (but see below).
>
> MAC auth was always a hack. People should use 802.1X instead.
True, but even on 802.11, there's plenty of kit that doesn't support
802.1x - games consoles, smart TVs and other entertainment boxes are a
great example.
In "dense" network environments e.g. student residences, you can either:
1. Deploy a separate WPA PSK SSID per-customer (!) and hand out the
PSK manually - lots of beacon frames, horrible RF performance
2. Use a single WPA PSK SSID and key the PSK off the client MAC address
3. Don't use WPA
4. Don't let the devices on the network
It's also worth pointing out that we're a long way from 802.1x being
usable on wired networks in unmanaged/BYOD/public access areas - there's
a bunch of caveats, ranging from wired 802.1x supplicants being disabled
by default on most OSes (and wired ethernet lacking a link-layer
handshake protocol like 802.11 to signal use of 802.1x) to switch
vendors having terrible implementations e.g. "wait 3 EAP timeouts before
fallback to MAC auth", which can be 60 seconds, in which time your old
print server / CCTV device / BEMS/SCADA system has fallen silent and
needs manual intervention.
MAC auth in general will be around for a while I fear :o(
More information about the Freeradius-Users
mailing list