Re: How to activate MAC address randomization?

[Chris Laprise]

On 08/30/2016 07:49 AM, Thomas Haller wrote:

Hi,

as a follow-up, I tried to explain the new options here:
https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/

Otherwise, our documentation should answer all your questions
-- if you don't understand something from our manual pages, we'd like
to improve them.


Thomas



The blog post does explain the 'stable' option pretty well, though the 
'Supported Modes' looks a little too terse to explain the new behaviors 
('stable' would seem to be a non-random option). At first glance, the 
expanded options look very useful.


But the new NM is not yet working for me... see new troubleshooting thread.


Chris
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[Thomas Haller]

Hi,

as a follow-up, I tried to explain the new options here:
https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/

Otherwise, our documentation should answer all your questions
-- if you don't understand something from our manual pages, we'd like
to improve them.


Thomas

signature.asc
Description: This is a digitally signed message part
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[poma]

On 06.07.2016 17:41, Thomas Haller wrote:
> On Wed, 2016-07-06 at 16:45 +0200, poma wrote:
>> On 18.06.2016 14:36, Chris Laprise wrote:
>>
>> [...]
>>
>>> Is there more of a consensus now on this issue?
>>>
>>> My last attempt at using NM 1.2 with wpas 2.4 and iwlwifi driver
>>> (which 
>>> supposedly uses nl80211) resulted in NM saying it couldn't turn 
>>> randomization on.
>>>
>>> If I compile the latest NM 1.2 and wpas 2.5 master branches, should
>>> it 
>>> work? My objective is to document the conditions and steps needed
>>> to get 
>>> wifi randomization operational on Qubes OS, which is based on
>>> fedora.
>>>
>>> Chris
>>>
>>
>>
>> Have you tested recent Haller's commits?
>> "wifi: implement MAC address randomization in NetworkManager instead
>> of supplicant"
>> https://cgit.freedesktop.org/NetworkManager/NetworkManager/log/?qt=gr
>> ep=randomization
> 
> Hi poma,
> 
> 
> I wanted to reply to this thread, explaining what I changed there... I
> forgot, ...
> 
> 
> on master (upcoming 1.4.0) wpa-supplicant is no longer used to
> randomize MAC addresses. Instead it's done by NetworkManager.
> Also, this also works now with ethernet, not only Wi-Fi.
> 
> 
> 
> Again, randomization during Wi-Fi scanning is enabled by default. It
> can be disabled per-device via NetworkManager.conf:
>   [device]
>   wifi.scan-rand-mac-address=no
> See `man NetworkManager.conf`.
> 
> 
> For randomzation during connection, the wifi.mac-address-randomization
> setting is deprecated (but still used in case you have old connections
> on disc).
> Now, you configure instead wifi.cloned-mac-address (or ethernet.cloned-
> mac-address). See `man nm-settings`.
> 
>   nmcli connection modify $MY_WIFI wifi.cloned-mac-address stable
> 
> 


Vorsprung durch Technik


Tested, and
basic, Pre-association / Scanning -and- Association / Connection - random MAC 
address works

/etc/NetworkManager/NetworkManager.conf
...
[connection]
# deprecated - see 'man 5 NetworkManager.conf / nm-settings':
# wifi.mac-address-randomization=2
#
# replacement:
wifi.cloned-mac-address=random

[device]
# default:
# wifi.scan-rand-mac-address=yes


Test builds - Fedora:
http://goo.gl/Gm4ffO
net/


Repairs double "random" ethernet / wifi assigned-mac-address value description 
for NM-SETTINGS(5)
---
 libnm-core/nm-setting-wired.c| 2 +-
 libnm-core/nm-setting-wireless.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libnm-core/nm-setting-wired.c b/libnm-core/nm-setting-wired.c
index 66ed9c4..fc5ab3e 100644
--- a/libnm-core/nm-setting-wired.c
+++ b/libnm-core/nm-setting-wired.c
@@ -1151,7 +1151,7 @@ nm_setting_wired_class_init (NMSettingWiredClass 
*setting_wired_class)
 * format: string
 * description: The new field for the cloned MAC address. It can be 
either
 *   a hardware address in ASCII representation, or one of the special 
values
-*   "preserve", "permanent", "random", "random" or "stable".
+*   "preserve", "permanent", "random" or "stable".
 *   This field replaces the deprecated "cloned-mac-address" on D-Bus, 
which
 *   can only contain explict hardware addresses.
 * ---end---
diff --git a/libnm-core/nm-setting-wireless.c b/libnm-core/nm-setting-wireless.c
index 2aa29c9..a7f58fe 100644
--- a/libnm-core/nm-setting-wireless.c
+++ b/libnm-core/nm-setting-wireless.c
@@ -1392,7 +1392,7 @@ nm_setting_wireless_class_init (NMSettingWirelessClass 
*setting_wireless_class)
 * format: string
 * description: The new field for the cloned MAC address. It can be 
either
 *   a hardware address in ASCII representation, or one of the special 
values
-*   "preserve", "permanent", "random", "random" or "stable".
+*   "preserve", "permanent", "random" or "stable".
 *   This field replaces the deprecated "cloned-mac-address" on D-Bus, 
which
 *   can only contain explict hardware addresses.
 * ---end---
-- 

> 
> 
> 
> Related expert options are:
> 
>   * per-connection (man nm-settings):
> 
> - "connection.stable-id", which affects the generated ID for
>   with "cloned-mac-address=stable". If you have multiple 
>   connections that should generate the same MAC address.
> 
> - "wifi.generate-mac-address-mask",
>   "ethernet.generate-mac-address-mask"
> 
>   * per-device (man NetworkManager.conf):
> 
> - "wifi.scan-generate-mac-address-mask"
> 
> 
> 
> Thomas
> 


Chris, tested expert options?

___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[Thomas Haller]

On Wed, 2016-07-06 at 16:45 +0200, poma wrote:
> On 18.06.2016 14:36, Chris Laprise wrote:
> 
> [...]
> 
> > Is there more of a consensus now on this issue?
> > 
> > My last attempt at using NM 1.2 with wpas 2.4 and iwlwifi driver
> > (which 
> > supposedly uses nl80211) resulted in NM saying it couldn't turn 
> > randomization on.
> > 
> > If I compile the latest NM 1.2 and wpas 2.5 master branches, should
> > it 
> > work? My objective is to document the conditions and steps needed
> > to get 
> > wifi randomization operational on Qubes OS, which is based on
> > fedora.
> > 
> > Chris
> > 
> 
> 
> Have you tested recent Haller's commits?
> "wifi: implement MAC address randomization in NetworkManager instead
> of supplicant"
> https://cgit.freedesktop.org/NetworkManager/NetworkManager/log/?qt=gr
> ep=randomization

Hi poma,


I wanted to reply to this thread, explaining what I changed there... I
forgot, ...


on master (upcoming 1.4.0) wpa-supplicant is no longer used to
randomize MAC addresses. Instead it's done by NetworkManager.
Also, this also works now with ethernet, not only Wi-Fi.



Again, randomization during Wi-Fi scanning is enabled by default. It
can be disabled per-device via NetworkManager.conf:
  [device]
  wifi.scan-rand-mac-address=no
See `man NetworkManager.conf`.


For randomzation during connection, the wifi.mac-address-randomization
setting is deprecated (but still used in case you have old connections
on disc).
Now, you configure instead wifi.cloned-mac-address (or ethernet.cloned-
mac-address). See `man nm-settings`.

  nmcli connection modify $MY_WIFI wifi.cloned-mac-address stable





Related expert options are:

  * per-connection (man nm-settings):

    - "connection.stable-id", which affects the generated ID for
      with "cloned-mac-address=stable". If you have multiple 
      connections that should generate the same MAC address.

    - "wifi.generate-mac-address-mask",
      "ethernet.generate-mac-address-mask"

  * per-device (man NetworkManager.conf):

    - "wifi.scan-generate-mac-address-mask"



Thomas


signature.asc
Description: This is a digitally signed message part
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[poma]

On 18.06.2016 14:36, Chris Laprise wrote:

[...]

> Is there more of a consensus now on this issue?
> 
> My last attempt at using NM 1.2 with wpas 2.4 and iwlwifi driver (which 
> supposedly uses nl80211) resulted in NM saying it couldn't turn 
> randomization on.
> 
> If I compile the latest NM 1.2 and wpas 2.5 master branches, should it 
> work? My objective is to document the conditions and steps needed to get 
> wifi randomization operational on Qubes OS, which is based on fedora.
> 
> Chris
> 


Have you tested recent Haller's commits?
"wifi: implement MAC address randomization in NetworkManager instead of 
supplicant"
https://cgit.freedesktop.org/NetworkManager/NetworkManager/log/?qt=grep=randomization


___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[Chris Laprise]

On 05/25/2016 10:56 AM, Dan Williams wrote:


NM always requests that non-associated scans (eg, before you've
connected to a wifi network) be randomized by default.  You can
(through the mac randomization property) request that the association
address also be randomized.

You can also use the cloned MAC address property to set a specific MAC
address for the association, on a per-connection basis.  If you choose
"always" for mac randomization, that overrides the cloned mac address.

As far as we know, and as far as we've tested, these both work
correctly when wpa_supplicant support exists and the driver uses the
nl80211 kernel API.  Out-of-tree and WEXT-based drivers may not work
correctly.

There does seem to be some confusion about the issue as you can see
from this thread, so we're trying to investigate that and clear things
up.  But when the features were added, they worked.

Dan



Hi Dan,

Is there more of a consensus now on this issue?

My last attempt at using NM 1.2 with wpas 2.4 and iwlwifi driver (which 
supposedly uses nl80211) resulted in NM saying it couldn't turn 
randomization on.


If I compile the latest NM 1.2 and wpas 2.5 master branches, should it 
work? My objective is to document the conditions and steps needed to get 
wifi randomization operational on Qubes OS, which is based on fedora.


Chris
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[Chris Laprise]

On 05/25/2016 10:56 AM, Dan Williams wrote:

On Wed, 2016-05-18 at 21:10 -0400, Chris Laprise wrote:

On 05/18/2016 02:25 PM, Dan Williams wrote:


Randomization happens in the supplicant, and the supplicant also
controls scanning.  If randomization is enabled, the supplicant
will
change the MAC address before it scans, so this should not be a
problem.

Of course, if you run 'iw dev wlan0 scan' manually, that does not
go
through the supplicant, and you will leak your MAC.

If you use NM's MAC cloning functionality, then yes, that might
leak
your MAC because that only clones the MAC address for the duration
of
the connection to a specific access point.  It's not randomization,
it's the same as ethernet MAC cloning.

It does seem like a primary use case for randomization would be
random
addresses during scans only, and transition to chosen non-original
addresses for connections (per-AP). The users and admins aren't going
to
think to themselves: "We're going to assign different addresses to
these
connections, so we're OK with the hardware address coming through."
Not
if they're using pre-connection randomization (which should be
considered the operational norm by now).

And its not that connection randomization isn't important, too. I
just
think that pre-connection randomization would work very well towards
privacy if the 'randomization' were on a per-AP basis and not a
per-session basis (the latter being less compatible with some
institutional security schemes). Per-AP is more realistic and far
more
likely to be used.

So I would like to know if NM can coordinate with supplicant well
enough
to transition the NIC between randomized pre-connection scanning and
statically-spoofed connections without allowing the original address
to
be broadcast.

NM always requests that non-associated scans (eg, before you've
connected to a wifi network) be randomized by default.  You can
(through the mac randomization property) request that the association
address also be randomized.

You can also use the cloned MAC address property to set a specific MAC
address for the association, on a per-connection basis.  If you choose
"always" for mac randomization, that overrides the cloned mac address.

As far as we know, and as far as we've tested, these both work
correctly when wpa_supplicant support exists and the driver uses the
nl80211 kernel API.  Out-of-tree and WEXT-based drivers may not work
correctly.

There does seem to be some confusion about the issue as you can see
from this thread, so we're trying to investigate that and clear things
up.  But when the features were added, they worked.

Dan


Thanks to all of you for the clarifications and for addressing the 
remaining issues.


Chris

___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[poma]

On 24.05.2016 18:18, poma wrote:
> [...]
> 
> However working Association / Connection random MAC address only applies to 
> the:
> 1. wpa_supplicant (Client) -> wpa_supplicant (Hotspot)
> 2. wpa_supplicant (Client) -> NetworkManager (Hotspot)
> 
> but not for:
> 3. NetworkManager (Client) -> NetworkManager (Hotspot)
> 
> 

Showcase,
if applied - for 'MacAddr', the same mechanism as for 'PreassocMacAddr';

sed -i 's/PreassocMacAddr/MacAddr/' 
src/supplicant-manager/nm-supplicant-interface.c
---
 src/supplicant-manager/nm-supplicant-interface.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/supplicant-manager/nm-supplicant-interface.c 
b/src/supplicant-manager/nm-supplicant-interface.c
index ce7a2a2..b9cafc3 100644
--- a/src/supplicant-manager/nm-supplicant-interface.c
+++ b/src/supplicant-manager/nm-supplicant-interface.c
@@ -552,7 +552,7 @@ iface_introspect_cb (GDBusProxy *proxy, GAsyncResult 
*result, gpointer user_data
if (strstr (data, "ProbeRequest"))
priv->ap_support = NM_SUPPLICANT_FEATURE_YES;
 
-   if (strstr (data, "PreassocMacAddr")) {
+   if (strstr (data, "MacAddr")) {
priv->mac_randomization_support = 
NM_SUPPLICANT_FEATURE_YES;
 
/* Turn on MAC randomization during scans by default */
@@ -561,7 +561,7 @@ iface_introspect_cb (GDBusProxy *proxy, GAsyncResult 
*result, gpointer user_data
   DBUS_INTERFACE_PROPERTIES ".Set",
   g_variant_new ("(ssv)",
  
WPAS_DBUS_IFACE_INTERFACE,
- "PreassocMacAddr",
+ "MacAddr",
  g_variant_new_string 
("1")),
   G_DBUS_CALL_FLAGS_NONE,
   -1,

 = Client =

# journalctl -o cat -b -u NetworkManager | grep -i mac
NetworkManager[2098]:   [...] sup-iface[...,wlp0s2f1u3]: config: set MAC 
randomization to 1

# nmcli connection show WiFiRd | grep rand
802-11-wireless.mac-address-randomization:default

# journalctl -o cat -b -u wpa_supplicant.service | grep -i mac
wlp0s2f1u3: Own MAC address: 00:aa:bb:cc:dd:ee
wlp0s2f1u3: WPS: UUID based on MAC address: [...]
properties_get_or_set: Set(MacAddr)
mac_addr=1
properties_get_or_set: Set(MacAddr)
mac_addr=1
nl80211: set_mac_addr for wlp0s2f1u3 to be:7f:1b:50:34:0b
wlp0s2f1u3: Using random MAC address be:7f:1b:50:34:0b

$ macchanger -s wlp0s2f1u3
Current MAC:   be:7f:1b:50:34:0b (unknown)
Permanent MAC: 00:aa:bb:cc:dd:ee (...)


 = Hotspot =

# journalctl -o cat -b -u wpa_supplicant.service | grep 
'00:aa:bb:cc:dd:ee\|be:7f:1b:50:34:0b'
nl80211: MLME event 59 (NL80211_CMD_FRAME) on wlp2s2f7u2(ee:dd:cc:bb:aa:00) 
A1=ff:ff:ff:ff:ff:ff A2=00:aa:bb:cc:dd:ee
nl80211: RX frame da=ff:ff:ff:ff:ff:ff sa=00:aa:bb:cc:dd:ee 
bssid=ff:ff:ff:ff:ff:ff freq=2412 ssi_signal=-19 fc=0x40 seq_ctrl=0xdc0 stype=4 
(WLAN_FC_STYPE_PROBE_REQ) len=42
nl80211: send_mlme - da= 00:aa:bb:cc:dd:ee noack=1 freq=0 no_cck=0 offchanok=0 
wait_time=0 fc=0x50 (WLAN_FC_STYPE_PROBE_RESP) nlmode=3
...
nl80211: MLME event 59 (NL80211_CMD_FRAME) on wlp2s2f7u2(ee:dd:cc:bb:aa:00) 
A1=ee:dd:cc:bb:aa:00 A2=be:7f:1b:50:34:0b
nl80211: RX frame da=ee:dd:cc:bb:aa:00 sa=be:7f:1b:50:34:0b 
bssid=ee:dd:cc:bb:aa:00 freq=2412 ssi_signal=-15 fc=0xb0 seq_ctrl=0x0 stype=11 
(WLAN_FC_STYPE_AUTH) len=30
authentication: STA=be:7f:1b:50:34:0b auth_alg=0 auth_transaction=1 
status_code=0 wep=0 seq_ctrl=0x0
ap_sta_add: register ap_handle_timer timeout for be:7f:1b:50:34:0b (300 seconds 
- ap_max_inactivity)
nl80211: sta_remove -> DEL_STATION wlp2s2f7u2 be:7f:1b:50:34:0b --> -2 (No such 
file or directory)
nl80211: Add STA be:7f:1b:50:34:0b
hostapd_logger: STA be:7f:1b:50:34:0b - authentication OK (open system)
hostapd_logger: STA be:7f:1b:50:34:0b - 
MLME-AUTHENTICATE.indication(be:7f:1b:50:34:0b, OPEN_SYSTEM)
hostapd_logger: STA be:7f:1b:50:34:0b - 
MLME-DELETEKEYS.request(be:7f:1b:50:34:0b)
authentication reply: STA=be:7f:1b:50:34:0b auth_alg=0 auth_transaction=2 
resp=0 (IE len=0)
nl80211: send_mlme - da= be:7f:1b:50:34:0b noack=0 freq=0 no_cck=0 offchanok=0 
wait_time=0 fc=0xb0 (WLAN_FC_STYPE_AUTH) nlmode=3
nl80211: New station be:7f:1b:50:34:0b
nl80211: MLME event 59 (NL80211_CMD_FRAME) on wlp2s2f7u2(ee:dd:cc:bb:aa:00) 
A1=ee:dd:cc:bb:aa:00 A2=be:7f:1b:50:34:0b
nl80211: RX frame da=ee:dd:cc:bb:aa:00 sa=be:7f:1b:50:34:0b 
bssid=ee:dd:cc:bb:aa:00 freq=2412 ssi_signal=-15 fc=0x0 seq_ctrl=0x10 stype=0 
(WLAN_FC_STYPE_ASSOC_REQ) len=110
association request: STA=be:7f:1b:50:34:0b capab_info=0x411 listen_interval=3 
seq_ctrl=0x10
HT: STA be:7f:1b:50:34:0b HT Capabilities Info: 0x19ee
update_sta_ht STA be:7f:1b:50:34:0b - no greenfield, num of non-gf stations 1

Re: How to activate MAC address randomization?

[poma]

On 25.05.2016 16:56, Dan Williams wrote:
> On Wed, 2016-05-18 at 21:10 -0400, Chris Laprise wrote:
>>
>> On 05/18/2016 02:25 PM, Dan Williams wrote:
>>>
>>>
>>> Randomization happens in the supplicant, and the supplicant also
>>> controls scanning.  If randomization is enabled, the supplicant
>>> will
>>> change the MAC address before it scans, so this should not be a
>>> problem.
>>>
>>> Of course, if you run 'iw dev wlan0 scan' manually, that does not
>>> go
>>> through the supplicant, and you will leak your MAC.
>>>
>>> If you use NM's MAC cloning functionality, then yes, that might
>>> leak
>>> your MAC because that only clones the MAC address for the duration
>>> of
>>> the connection to a specific access point.  It's not randomization,
>>> it's the same as ethernet MAC cloning.
>> It does seem like a primary use case for randomization would be
>> random 
>> addresses during scans only, and transition to chosen non-original 
>> addresses for connections (per-AP). The users and admins aren't going
>> to 
>> think to themselves: "We're going to assign different addresses to
>> these 
>> connections, so we're OK with the hardware address coming through."
>> Not 
>> if they're using pre-connection randomization (which should be 
>> considered the operational norm by now).
>>
>> And its not that connection randomization isn't important, too. I
>> just 
>> think that pre-connection randomization would work very well towards 
>> privacy if the 'randomization' were on a per-AP basis and not a 
>> per-session basis (the latter being less compatible with some 
>> institutional security schemes). Per-AP is more realistic and far
>> more 
>> likely to be used.
>>
>> So I would like to know if NM can coordinate with supplicant well
>> enough 
>> to transition the NIC between randomized pre-connection scanning and 
>> statically-spoofed connections without allowing the original address
>> to 
>> be broadcast.
> 
> NM always requests that non-associated scans (eg, before you've
> connected to a wifi network) be randomized by default.  You can
> (through the mac randomization property) request that the association
> address also be randomized.
> 
> You can also use the cloned MAC address property to set a specific MAC
> address for the association, on a per-connection basis.  If you choose
> "always" for mac randomization, that overrides the cloned mac address.
> 
> As far as we know, and as far as we've tested, these both work
> correctly when wpa_supplicant support exists and the driver uses the
> nl80211 kernel API.  Out-of-tree and WEXT-based drivers may not work
> correctly.
> 
> There does seem to be some confusion about the issue as you can see
> from this thread, so we're trying to investigate that and clear things
> up.  But when the features were added, they worked.
> 

On what -particular- commit you are referring to, as "worked" one?
Ref.
https://cgit.freedesktop.org/NetworkManager/NetworkManager/log/?qt=grep=randomization


___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[Dan Williams]

On Wed, 2016-05-18 at 21:10 -0400, Chris Laprise wrote:
> 
> On 05/18/2016 02:25 PM, Dan Williams wrote:
> > 
> > 
> > Randomization happens in the supplicant, and the supplicant also
> > controls scanning.  If randomization is enabled, the supplicant
> > will
> > change the MAC address before it scans, so this should not be a
> > problem.
> > 
> > Of course, if you run 'iw dev wlan0 scan' manually, that does not
> > go
> > through the supplicant, and you will leak your MAC.
> > 
> > If you use NM's MAC cloning functionality, then yes, that might
> > leak
> > your MAC because that only clones the MAC address for the duration
> > of
> > the connection to a specific access point.  It's not randomization,
> > it's the same as ethernet MAC cloning.
> It does seem like a primary use case for randomization would be
> random 
> addresses during scans only, and transition to chosen non-original 
> addresses for connections (per-AP). The users and admins aren't going
> to 
> think to themselves: "We're going to assign different addresses to
> these 
> connections, so we're OK with the hardware address coming through."
> Not 
> if they're using pre-connection randomization (which should be 
> considered the operational norm by now).
> 
> And its not that connection randomization isn't important, too. I
> just 
> think that pre-connection randomization would work very well towards 
> privacy if the 'randomization' were on a per-AP basis and not a 
> per-session basis (the latter being less compatible with some 
> institutional security schemes). Per-AP is more realistic and far
> more 
> likely to be used.
> 
> So I would like to know if NM can coordinate with supplicant well
> enough 
> to transition the NIC between randomized pre-connection scanning and 
> statically-spoofed connections without allowing the original address
> to 
> be broadcast.

NM always requests that non-associated scans (eg, before you've
connected to a wifi network) be randomized by default.  You can
(through the mac randomization property) request that the association
address also be randomized.

You can also use the cloned MAC address property to set a specific MAC
address for the association, on a per-connection basis.  If you choose
"always" for mac randomization, that overrides the cloned mac address.

As far as we know, and as far as we've tested, these both work
correctly when wpa_supplicant support exists and the driver uses the
nl80211 kernel API.  Out-of-tree and WEXT-based drivers may not work
correctly.

There does seem to be some confusion about the issue as you can see
from this thread, so we're trying to investigate that and clear things
up.  But when the features were added, they worked.

Dan

> 
> > 
> > If you're looking for a more generic MAC randomization feature that
> > also works for ethernet, then yes that would be NM's
> > responsibility.
> >   Internally NM would handle ethernet MAC randomization itself, but
> > delegate to the supplicant for WiFi.  Since the supplicant handles
> > scanning, it must also handle WiFi MAC randomization to ensure
> > synchronization of the changes.
> > 
> > Dan
> Ethernet is probably not as pressing a concern because of the
> physical 
> link aspect, but thanks for the insight.
> 
> Chris
> 
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[poma]

[...]

However working Association / Connection random MAC address only applies to the:
1. wpa_supplicant (Client) -> wpa_supplicant (Hotspot)
2. wpa_supplicant (Client) -> NetworkManager (Hotspot)

but not for:
3. NetworkManager (Client) -> NetworkManager (Hotspot)


___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[poma]

On 24.05.2016 16:46, poma wrote:
> On 24.05.2016 13:22, poma wrote:
>>
>> [...] NetworkManager [...]
>>
>> WPA Supplicant comparative test
>> - wpa_supplicant v2.6-devel git a26c9c2 2016-05-20
>> - Linux 4.6
>> - QEMU emulator version 2.6.0 (Hotspot)
>>
>>
>> Pre-association / Scanning random MAC address
>>
>>  = Client (mt7601u) =
>>
>> # grep -v '^#\|^$' /etc/wpa_supplicant.conf
>> ctrl_interface=/var/run/wpa_supplicant
>> ctrl_interface_group=wheel
>> preassoc_mac_addr=1
>> network={
>> ssid="WiFiRd"
>> bssid=ee:dd:cc:bb:aa:00
>> key_mgmt=WPA-PSK
>> psk="**"
>> }
>>
>>
>> # wpa_supplicant -i wlp0s2f1u3 -c /etc/wpa_supplicant.conf -d -f 
>> wpasuplog.txt
>>
>>
>> # grep -i 'mac\|rand\|connected' wpasuplog.txt
>> random: Trying to read entropy from /dev/random
>> preassoc_mac_addr=1
>> wlp0s2f1u3: Own MAC address: 00:aa:bb:cc:dd:ee
>> wlp0s2f1u3: WPS: UUID based on MAC address: [...]
>> EAPOL: SUPP_PAE entering state DISCONNECTED
>> wlp0s2f1u3: State: DISCONNECTED -> DISCONNECTED
>> random: Got 20/20 bytes from /dev/random
>> wlp0s2f1u3: State: DISCONNECTED -> SCANNING
>> nl80211: set_mac_addr for wlp0s2f1u3 to 4a:b1:d6:28:4c:90
>> wlp0s2f1u3: Using random MAC address 4a:b1:d6:28:4c:90
>> nl80211: set_mac_addr for wlp0s2f1u3 to 00:aa:bb:cc:dd:ee
>> wlp0s2f1u3: Using permanent MAC address
>> wlp0s2f1u3: CTRL-EVENT-CONNECTED - Connection to ee:dd:cc:bb:aa:00 completed 
>> [id=0 id_str=]
>> ...
>>
>>
>>
>>  = Hotspot (rt2800usb) =
>>
>> # grep -v '^#\|^$' /etc/wpa_supplicant.conf 
>> ctrl_interface=/var/run/wpa_supplicant
>> ctrl_interface_group=wheel
>> network={
>> ssid="WiFiRd"
>> key_mgmt=WPA-PSK
>> psk="**"
>> mode=2
>> }
>>
>>
>> # wpa_supplicant -i wlp2s2f7u2 -c /etc/wpa_supplicant.conf -d -f 
>> wpasuplog.txt
>>
>>
>> # grep -i '4a:b1:d6:28:4c:90\|00:aa:bb:cc:dd:ee' wpasuplog.txt
>> nl80211: RX frame da=ff:ff:ff:ff:ff:ff sa=4a:b1:d6:28:4c:90 
>> bssid=ff:ff:ff:ff:ff:ff freq=2462 ssi_signal=-19 fc=0x40 seq_ctrl=0x3b20 
>> stype=4 (WLAN_FC_STYPE_PROBE_REQ) len=83
>> nl80211: send_mlme - da= 4a:b1:d6:28:4c:90 noack=1 freq=0 no_cck=0 
>> offchanok=0 wait_time=0 fc=0x50 (WLAN_FC_STYPE_PROBE_RESP) nlmode=3
>> nl80211: RX frame da=ee:dd:cc:bb:aa:00 sa=00:aa:bb:cc:dd:ee 
>> bssid=ee:dd:cc:bb:aa:00 freq=2462 ssi_signal=-19 fc=0x8b0 seq_ctrl=0x3b60 
>> stype=11 (WLAN_FC_STYPE_AUTH) len=30
>> ...
>> wlp2s2f7u2: AP-STA-CONNECTED 00:aa:bb:cc:dd:ee
>> ...
>>
>>
>> ~~~
>>
>>
>> Association / Connection random MAC address
>>
>>
>>  = Client (mt7601u) =
>>
>> # grep -v '^#\|^$' /etc/wpa_supplicant.conf
>> ctrl_interface=/var/run/wpa_supplicant
>> ctrl_interface_group=wheel
>> mac_addr=1
>> network={
>> ssid="WiFiRd"
>> bssid=ee:dd:cc:bb:aa:00
>> key_mgmt=WPA-PSK
>> psk="**"
>> }
>>
>>
>> # wpa_supplicant -i wlp0s2f1u3 -c /etc/wpa_supplicant.conf -d -f 
>> wpasuplog.txt
>>
>>
>> # grep -i 'mac\|rand\|connected' wpasuplog.txt
>> random: Trying to read entropy from /dev/random
>> mac_addr=1
>> wlp0s2f1u3: Own MAC address: 00:aa:bb:cc:dd:ee
>> wlp0s2f1u3: WPS: UUID based on MAC address: [...]
>> EAPOL: SUPP_PAE entering state DISCONNECTED
>> wlp0s2f1u3: State: DISCONNECTED -> DISCONNECTED
>> random: Got 20/20 bytes from /dev/random
>> wlp0s2f1u3: State: DISCONNECTED -> SCANNING
>> nl80211: set_mac_addr for wlp0s2f1u3 to 0e:5d:07:b0:73:a6
>> wlp0s2f1u3: Using random MAC address 0e:5d:07:b0:73:a6
>> wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
>> wlp0s2f1u3: State: DISCONNECTED -> SCANNING
>> wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
>> wlp0s2f1u3: State: DISCONNECTED -> SCANNING
>> wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
>> wlp0s2f1u3: State: DISCONNECTED -> SCANNING
>> wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
>> wlp0s2f1u3: State: DISCONNECTED -> SCANNING
>> wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
>> wlp0s2f1u3: State: DISCONNECTED -> SCANNING
>> wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
>> wlp0s2f1u3: Request to deauthenticate - bssid=00:00:00:00:00:00 
>> pending_bssid=00:00:00:00:00:00 reason=3 state=DISCONNECTED
>> wlp0s2f1u3: State: DISCONNECTED -> DISCONNECTED
>>
>>
>>
>>  = Hotspot (rt2800usb) =
>>
>> # grep -v '^#\|^$' /etc/wpa_supplicant.conf 
>> ctrl_interface=/var/run/wpa_supplicant
>> ctrl_interface_group=wheel
>> network={
>> ssid="WiFiRd"
>> key_mgmt=WPA-PSK
>> psk="**"
>> mode=2
>> }
>>
>>
>> # wpa_supplicant -i wlp2s2f7u2 -c /etc/wpa_supplicant.conf -d -f 
>> wpasuplog.txt
>>
>>
>> # grep -i acknowledge wpasuplog.txt
>> hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
>> response
>> hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
>> response
>> hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
>> response
>> hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge 

Re: How to activate MAC address randomization?

[poma]

On 24.05.2016 13:22, poma wrote:
> 
> [...] NetworkManager [...]
> 
> WPA Supplicant comparative test
> - wpa_supplicant v2.6-devel git a26c9c2 2016-05-20
> - Linux 4.6
> - QEMU emulator version 2.6.0 (Hotspot)
> 
> 
> Pre-association / Scanning random MAC address
> 
>  = Client (mt7601u) =
> 
> # grep -v '^#\|^$' /etc/wpa_supplicant.conf
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=wheel
> preassoc_mac_addr=1
> network={
> ssid="WiFiRd"
> bssid=ee:dd:cc:bb:aa:00
> key_mgmt=WPA-PSK
> psk="**"
> }
> 
> 
> # wpa_supplicant -i wlp0s2f1u3 -c /etc/wpa_supplicant.conf -d -f wpasuplog.txt
> 
> 
> # grep -i 'mac\|rand\|connected' wpasuplog.txt
> random: Trying to read entropy from /dev/random
> preassoc_mac_addr=1
> wlp0s2f1u3: Own MAC address: 00:aa:bb:cc:dd:ee
> wlp0s2f1u3: WPS: UUID based on MAC address: [...]
> EAPOL: SUPP_PAE entering state DISCONNECTED
> wlp0s2f1u3: State: DISCONNECTED -> DISCONNECTED
> random: Got 20/20 bytes from /dev/random
> wlp0s2f1u3: State: DISCONNECTED -> SCANNING
> nl80211: set_mac_addr for wlp0s2f1u3 to 4a:b1:d6:28:4c:90
> wlp0s2f1u3: Using random MAC address 4a:b1:d6:28:4c:90
> nl80211: set_mac_addr for wlp0s2f1u3 to 00:aa:bb:cc:dd:ee
> wlp0s2f1u3: Using permanent MAC address
> wlp0s2f1u3: CTRL-EVENT-CONNECTED - Connection to ee:dd:cc:bb:aa:00 completed 
> [id=0 id_str=]
> ...
> 
> 
> 
>  = Hotspot (rt2800usb) =
> 
> # grep -v '^#\|^$' /etc/wpa_supplicant.conf 
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=wheel
> network={
> ssid="WiFiRd"
> key_mgmt=WPA-PSK
> psk="**"
> mode=2
> }
> 
> 
> # wpa_supplicant -i wlp2s2f7u2 -c /etc/wpa_supplicant.conf -d -f wpasuplog.txt
> 
> 
> # grep -i '4a:b1:d6:28:4c:90\|00:aa:bb:cc:dd:ee' wpasuplog.txt
> nl80211: RX frame da=ff:ff:ff:ff:ff:ff sa=4a:b1:d6:28:4c:90 
> bssid=ff:ff:ff:ff:ff:ff freq=2462 ssi_signal=-19 fc=0x40 seq_ctrl=0x3b20 
> stype=4 (WLAN_FC_STYPE_PROBE_REQ) len=83
> nl80211: send_mlme - da= 4a:b1:d6:28:4c:90 noack=1 freq=0 no_cck=0 
> offchanok=0 wait_time=0 fc=0x50 (WLAN_FC_STYPE_PROBE_RESP) nlmode=3
> nl80211: RX frame da=ee:dd:cc:bb:aa:00 sa=00:aa:bb:cc:dd:ee 
> bssid=ee:dd:cc:bb:aa:00 freq=2462 ssi_signal=-19 fc=0x8b0 seq_ctrl=0x3b60 
> stype=11 (WLAN_FC_STYPE_AUTH) len=30
> ...
> wlp2s2f7u2: AP-STA-CONNECTED 00:aa:bb:cc:dd:ee
> ...
> 
> 
> ~~~
> 
> 
> Association / Connection random MAC address
> 
> 
>  = Client (mt7601u) =
> 
> # grep -v '^#\|^$' /etc/wpa_supplicant.conf
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=wheel
> mac_addr=1
> network={
> ssid="WiFiRd"
> bssid=ee:dd:cc:bb:aa:00
> key_mgmt=WPA-PSK
> psk="**"
> }
> 
> 
> # wpa_supplicant -i wlp0s2f1u3 -c /etc/wpa_supplicant.conf -d -f wpasuplog.txt
> 
> 
> # grep -i 'mac\|rand\|connected' wpasuplog.txt
> random: Trying to read entropy from /dev/random
> mac_addr=1
> wlp0s2f1u3: Own MAC address: 00:aa:bb:cc:dd:ee
> wlp0s2f1u3: WPS: UUID based on MAC address: [...]
> EAPOL: SUPP_PAE entering state DISCONNECTED
> wlp0s2f1u3: State: DISCONNECTED -> DISCONNECTED
> random: Got 20/20 bytes from /dev/random
> wlp0s2f1u3: State: DISCONNECTED -> SCANNING
> nl80211: set_mac_addr for wlp0s2f1u3 to 0e:5d:07:b0:73:a6
> wlp0s2f1u3: Using random MAC address 0e:5d:07:b0:73:a6
> wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
> wlp0s2f1u3: State: DISCONNECTED -> SCANNING
> wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
> wlp0s2f1u3: State: DISCONNECTED -> SCANNING
> wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
> wlp0s2f1u3: State: DISCONNECTED -> SCANNING
> wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
> wlp0s2f1u3: State: DISCONNECTED -> SCANNING
> wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
> wlp0s2f1u3: State: DISCONNECTED -> SCANNING
> wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
> wlp0s2f1u3: Request to deauthenticate - bssid=00:00:00:00:00:00 
> pending_bssid=00:00:00:00:00:00 reason=3 state=DISCONNECTED
> wlp0s2f1u3: State: DISCONNECTED -> DISCONNECTED
> 
> 
> 
>  = Hotspot (rt2800usb) =
> 
> # grep -v '^#\|^$' /etc/wpa_supplicant.conf 
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=wheel
> network={
> ssid="WiFiRd"
> key_mgmt=WPA-PSK
> psk="**"
> mode=2
> }
> 
> 
> # wpa_supplicant -i wlp2s2f7u2 -c /etc/wpa_supplicant.conf -d -f wpasuplog.txt
> 
> 
> # grep -i acknowledge wpasuplog.txt
> hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
> response
> hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
> response
> hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
> response
> hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
> response
> hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
> response
> hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge 

Re: How to activate MAC address randomization?

[poma]

[...] NetworkManager [...]

WPA Supplicant comparative test
- wpa_supplicant v2.6-devel git a26c9c2 2016-05-20
- Linux 4.6
- QEMU emulator version 2.6.0 (Hotspot)


Pre-association / Scanning random MAC address

 = Client (mt7601u) =

# grep -v '^#\|^$' /etc/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
preassoc_mac_addr=1
network={
ssid="WiFiRd"
bssid=ee:dd:cc:bb:aa:00
key_mgmt=WPA-PSK
psk="**"
}


# wpa_supplicant -i wlp0s2f1u3 -c /etc/wpa_supplicant.conf -d -f wpasuplog.txt


# grep -i 'mac\|rand\|connected' wpasuplog.txt
random: Trying to read entropy from /dev/random
preassoc_mac_addr=1
wlp0s2f1u3: Own MAC address: 00:aa:bb:cc:dd:ee
wlp0s2f1u3: WPS: UUID based on MAC address: [...]
EAPOL: SUPP_PAE entering state DISCONNECTED
wlp0s2f1u3: State: DISCONNECTED -> DISCONNECTED
random: Got 20/20 bytes from /dev/random
wlp0s2f1u3: State: DISCONNECTED -> SCANNING
nl80211: set_mac_addr for wlp0s2f1u3 to 4a:b1:d6:28:4c:90
wlp0s2f1u3: Using random MAC address 4a:b1:d6:28:4c:90
nl80211: set_mac_addr for wlp0s2f1u3 to 00:aa:bb:cc:dd:ee
wlp0s2f1u3: Using permanent MAC address
wlp0s2f1u3: CTRL-EVENT-CONNECTED - Connection to ee:dd:cc:bb:aa:00 completed 
[id=0 id_str=]
...



 = Hotspot (rt2800usb) =

# grep -v '^#\|^$' /etc/wpa_supplicant.conf 
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
network={
ssid="WiFiRd"
key_mgmt=WPA-PSK
psk="**"
mode=2
}


# wpa_supplicant -i wlp2s2f7u2 -c /etc/wpa_supplicant.conf -d -f wpasuplog.txt


# grep -i '4a:b1:d6:28:4c:90\|00:aa:bb:cc:dd:ee' wpasuplog.txt
nl80211: RX frame da=ff:ff:ff:ff:ff:ff sa=4a:b1:d6:28:4c:90 
bssid=ff:ff:ff:ff:ff:ff freq=2462 ssi_signal=-19 fc=0x40 seq_ctrl=0x3b20 
stype=4 (WLAN_FC_STYPE_PROBE_REQ) len=83
nl80211: send_mlme - da= 4a:b1:d6:28:4c:90 noack=1 freq=0 no_cck=0 offchanok=0 
wait_time=0 fc=0x50 (WLAN_FC_STYPE_PROBE_RESP) nlmode=3
nl80211: RX frame da=ee:dd:cc:bb:aa:00 sa=00:aa:bb:cc:dd:ee 
bssid=ee:dd:cc:bb:aa:00 freq=2462 ssi_signal=-19 fc=0x8b0 seq_ctrl=0x3b60 
stype=11 (WLAN_FC_STYPE_AUTH) len=30
...
wlp2s2f7u2: AP-STA-CONNECTED 00:aa:bb:cc:dd:ee
...


~~~


Association / Connection random MAC address


 = Client (mt7601u) =

# grep -v '^#\|^$' /etc/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
mac_addr=1
network={
ssid="WiFiRd"
bssid=ee:dd:cc:bb:aa:00
key_mgmt=WPA-PSK
psk="**"
}


# wpa_supplicant -i wlp0s2f1u3 -c /etc/wpa_supplicant.conf -d -f wpasuplog.txt


# grep -i 'mac\|rand\|connected' wpasuplog.txt
random: Trying to read entropy from /dev/random
mac_addr=1
wlp0s2f1u3: Own MAC address: 00:aa:bb:cc:dd:ee
wlp0s2f1u3: WPS: UUID based on MAC address: [...]
EAPOL: SUPP_PAE entering state DISCONNECTED
wlp0s2f1u3: State: DISCONNECTED -> DISCONNECTED
random: Got 20/20 bytes from /dev/random
wlp0s2f1u3: State: DISCONNECTED -> SCANNING
nl80211: set_mac_addr for wlp0s2f1u3 to 0e:5d:07:b0:73:a6
wlp0s2f1u3: Using random MAC address 0e:5d:07:b0:73:a6
wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
wlp0s2f1u3: State: DISCONNECTED -> SCANNING
wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
wlp0s2f1u3: State: DISCONNECTED -> SCANNING
wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
wlp0s2f1u3: State: DISCONNECTED -> SCANNING
wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
wlp0s2f1u3: State: DISCONNECTED -> SCANNING
wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
wlp0s2f1u3: State: DISCONNECTED -> SCANNING
wlp0s2f1u3: State: AUTHENTICATING -> DISCONNECTED
wlp0s2f1u3: Request to deauthenticate - bssid=00:00:00:00:00:00 
pending_bssid=00:00:00:00:00:00 reason=3 state=DISCONNECTED
wlp0s2f1u3: State: DISCONNECTED -> DISCONNECTED



 = Hotspot (rt2800usb) =

# grep -v '^#\|^$' /etc/wpa_supplicant.conf 
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
network={
ssid="WiFiRd"
key_mgmt=WPA-PSK
psk="**"
mode=2
}


# wpa_supplicant -i wlp2s2f7u2 -c /etc/wpa_supplicant.conf -d -f wpasuplog.txt


# grep -i acknowledge wpasuplog.txt
hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
response
hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
response
hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
response
hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
response
hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
response
hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
response
hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
response
hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
response
hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge authentication 
response
hostapd_logger: STA 0e:5d:07:b0:73:a6 - did not acknowledge 

Re: How to activate MAC address randomization?

[forum]

> So, you had the right version of wpa-supplicant but it didn't work?
> Could you send a logfile of NM with TRACE logging enabled? 
>
>
>
It looks like the logging level is set to info by default.
>> As a side comment, If I use the "unsupported" wpa_supplicant version
>> (ie
>> the last stable), I cannot connect to the SSID if I ask for
>> randomization (always) and I have this error: "active connection
>> removed
>> before it was initialized". Of course, this doesn't happen if I build
>> wpa_supplicant from their master branch.
> that would be expected, no?

Yes, absolutely. It was just a comment to show that the master version
shows a different behavior, which is a positive signal.


> You should also see a message in the logfile:
> "Activation: (wifi) couldn't build wireless configuration: 802-11-
> wireless: cannot enable mac-randomization due to missing supplicant
> support"
> This is is what I get on Fedora 23.
>
I have the same.


I dumped the useful journalctl part here:
pastebin.com/QKvfgyP0

my config (just for info)
pastebin.com/3KQTwXFA


Thanks.

-- 
François Boulogne.
http://www.sciunto.org
GPG: 32D5F22F


___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[Thomas Haller]

On Sun, 2016-05-22 at 15:43 +0200, fo...@sciunto.org wrote:
> Hi Thomas,

Hi,


> > Oh, I didn't actually test mac-addr-randomization myself :)
> > I am definitely interested whether it works for you (but I still
> > expect
> > it works, if wpa-supplicant has support).
> I made further test with another computer, but same OS. I got the
> same
> behavior, ie I couldn't randomize my mac address.
> That was the occasion to build against a more recent master version
> of
> wpa_supplicant.

So, you had the right version of wpa-supplicant but it didn't work?
Could you send a logfile of NM with TRACE logging enabled? 




> As a side comment, If I use the "unsupported" wpa_supplicant version
> (ie
> the last stable), I cannot connect to the SSID if I ask for
> randomization (always) and I have this error: "active connection
> removed
> before it was initialized". Of course, this doesn't happen if I build
> wpa_supplicant from their master branch.

that would be expected, no?

You should also see a message in the logfile:
"Activation: (wifi) couldn't build wireless configuration: 802-11-
wireless: cannot enable mac-randomization due to missing supplicant
support"
This is is what I get on Fedora 23.




> If anybody has a chance to test this, I would be happy to hear about
> it,
> or if you have ideas/instructions to get a better understanding.
> 
> Thanks.
> 
> Best,

Thomas

signature.asc
Description: This is a digitally signed message part
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[forum]

Hi Thomas,
> Oh, I didn't actually test mac-addr-randomization myself :)
> I am definitely interested whether it works for you (but I still expect
> it works, if wpa-supplicant has support).

I made further test with another computer, but same OS. I got the same
behavior, ie I couldn't randomize my mac address.
That was the occasion to build against a more recent master version of
wpa_supplicant.

As a side comment, If I use the "unsupported" wpa_supplicant version (ie
the last stable), I cannot connect to the SSID if I ask for
randomization (always) and I have this error: "active connection removed
before it was initialized". Of course, this doesn't happen if I build
wpa_supplicant from their master branch.


If anybody has a chance to test this, I would be happy to hear about it,
or if you have ideas/instructions to get a better understanding.

Thanks.

Best,

-- 
François Boulogne.
http://www.sciunto.org
GPG: 32D5F22F


___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[poma]

On 21.05.2016 01:03, poma wrote:
> On 20.05.2016 19:36, Dan Williams wrote:
>> On Fri, 2016-05-20 at 19:03 +0200, poma wrote:
>>> On 19.05.2016 12:22, Thomas Haller wrote:

 On Thu, 2016-05-19 at 01:41 +0200, poma wrote:
>
> On 18.05.2016 16:49, Thomas Haller wrote:
>>
>>  
> I actually have a question for you, and Lubo;
>
> In the wpa_supplicant, Pre-association MAC random-ization is
> disabled
> per default:
>
> https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n964
> PreassocMacAddr
> Pre-association MAC address policy
>
> https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf
> #n41
> 8
> # MAC address policy for pre-association operations (scanning,
> ANQP)
> # 0 = use permanent MAC address
> # 1 = use random MAC address
> # 2 = like 1, but maintain OUI (with local admin bit set)
> #preassoc_mac_addr=0
>
>
> and the same was said, toward NetworkManager, in:
>
> https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/N
> EWS#
> n8
> * Added an option to enable use of random MAC addresses for Wi-Fi
> access
> point scanning (defaults to disabled).  Controlled with
> 'wifi.mac-address-randomization' property
> (MAC_ADDRESS_RANDOMIZATION key in
> ifcfg files).
 Yeah, this is wrong. I fixed it:

 https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?
 id=e0e1c5916073deac49d27a9ee2343073f5fe552a




>
> -but- you said in:
>
> https://mail.gnome.org/archives/networkmanager-list/2016-May/msg0
> 0042
> .html
> 
> When NM detects support in wpa-supplicant, it always sets
> PreassocMacAddr to 1. This setting is only relevant during
> scanning,
> and thus NM *always* enables it.
> 
>
>
> -and- as "published" by Lubo in:
>
> https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-tra
> ckin
> g-protection-in-wi-fi-networks
> 
> What seems like a viable option is randomizing the MAC address
> while
> scanning,
> changing it every now and then,
> but still use the hard-wired MAC address for association and
> actual
> connectivity. [...]
> With the upcoming NetworkManager 1.2 we’re doing this too. [...]
> With the upcoming NetworkManager 1.2 (when using wpa_supplicant
> 2.4
> or newer) we’re doing this too.
> 
>
>
> Is not that, as mentioned in the NEWS, in fact MAC random-ization 
> per
> connecting, not MAC random-ization per scanning!?
 You are right.




>
> That is, in the wpa_supplicant, Connection MAC random-ization:
>
> https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n954
> MacAddr
> MAC address policy default
>
> https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf
> #n40
> 5
> # MAC address policy default
> # 0 = use permanent MAC address
> # 1 = use random MAC address for each ESS connection
> # 2 = like 1, but maintain OUI (with local admin bit set)
> #
> # By default, permanent MAC address is used unless policy is
> changed
> by
> # the per-network mac_addr parameter. Global mac_addr=1 can be
> used
> to
> # change this default behavior.
> #mac_addr=0
>
>
> toward NetworkManager, what -you- said in:
>
> https://mail.gnome.org/archives/networkmanager-list/2016-May/msg0
> 0042
> .html
> 
> The mac-address-randomization connection-setting on the other
> hand,
> configures the behavior while being connected.
> 
>
>
> -and- as "published" by Lubo in:
>
> https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-tra
> ckin
> g-protection-in-wi-fi-networks
> 
> Could we randomize the permanent address too?
> We added option for that to NetworkManager 1.2 too, but are
> leaving
> it off. [...]
> 
>
>
> What is what, and what is not!? :)
>

 Hi poma,


 yes, the NEWS file was wrong.

 Also, as we already found out, another mistake was that wpa-
 supplicant
 support is not yet available in 2.4. It is currently only on master
 (and will be in supplicant version 2.6)
 -- unless we backport it, for which you opened a Fedora bug (thank
 you).


 Lubo's "but are leaving it off." statement means:
 if you leave the per-connection setting wifi.mac-address-
 randomization
 at "default", then the default means "off"
 -- unless you overwrite it via a global default value in
 /etc/NetworkManager/NetworkManager.conf, see `man
 NetworkManager.conf`.



 Does this resolve all unclarities?

>>>
>>> Of course!
>>>
>>> Here's the answer to your question - "Why do you say that "rand-mac"
>>> does not work?"
>>>
>>>

Re: How to activate MAC address randomization?

[poma]

On 20.05.2016 19:36, Dan Williams wrote:
> On Fri, 2016-05-20 at 19:03 +0200, poma wrote:
>> On 19.05.2016 12:22, Thomas Haller wrote:
>>>
>>> On Thu, 2016-05-19 at 01:41 +0200, poma wrote:

 On 18.05.2016 16:49, Thomas Haller wrote:
>
>  
 I actually have a question for you, and Lubo;

 In the wpa_supplicant, Pre-association MAC random-ization is
 disabled
 per default:

 https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n964
 PreassocMacAddr
 Pre-association MAC address policy

 https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf
 #n41
 8
 # MAC address policy for pre-association operations (scanning,
 ANQP)
 # 0 = use permanent MAC address
 # 1 = use random MAC address
 # 2 = like 1, but maintain OUI (with local admin bit set)
 #preassoc_mac_addr=0


 and the same was said, toward NetworkManager, in:

 https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/N
 EWS#
 n8
 * Added an option to enable use of random MAC addresses for Wi-Fi
 access
 point scanning (defaults to disabled).  Controlled with
 'wifi.mac-address-randomization' property
 (MAC_ADDRESS_RANDOMIZATION key in
 ifcfg files).
>>> Yeah, this is wrong. I fixed it:
>>>
>>> https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?
>>> id=e0e1c5916073deac49d27a9ee2343073f5fe552a
>>>
>>>
>>>
>>>

 -but- you said in:

 https://mail.gnome.org/archives/networkmanager-list/2016-May/msg0
 0042
 .html
 
 When NM detects support in wpa-supplicant, it always sets
 PreassocMacAddr to 1. This setting is only relevant during
 scanning,
 and thus NM *always* enables it.
 


 -and- as "published" by Lubo in:

 https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-tra
 ckin
 g-protection-in-wi-fi-networks
 
 What seems like a viable option is randomizing the MAC address
 while
 scanning,
 changing it every now and then,
 but still use the hard-wired MAC address for association and
 actual
 connectivity. [...]
 With the upcoming NetworkManager 1.2 we’re doing this too. [...]
 With the upcoming NetworkManager 1.2 (when using wpa_supplicant
 2.4
 or newer) we’re doing this too.
 


 Is not that, as mentioned in the NEWS, in fact MAC random-ization 
 per
 connecting, not MAC random-ization per scanning!?
>>> You are right.
>>>
>>>
>>>
>>>

 That is, in the wpa_supplicant, Connection MAC random-ization:

 https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n954
 MacAddr
 MAC address policy default

 https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf
 #n40
 5
 # MAC address policy default
 # 0 = use permanent MAC address
 # 1 = use random MAC address for each ESS connection
 # 2 = like 1, but maintain OUI (with local admin bit set)
 #
 # By default, permanent MAC address is used unless policy is
 changed
 by
 # the per-network mac_addr parameter. Global mac_addr=1 can be
 used
 to
 # change this default behavior.
 #mac_addr=0


 toward NetworkManager, what -you- said in:

 https://mail.gnome.org/archives/networkmanager-list/2016-May/msg0
 0042
 .html
 
 The mac-address-randomization connection-setting on the other
 hand,
 configures the behavior while being connected.
 


 -and- as "published" by Lubo in:

 https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-tra
 ckin
 g-protection-in-wi-fi-networks
 
 Could we randomize the permanent address too?
 We added option for that to NetworkManager 1.2 too, but are
 leaving
 it off. [...]
 


 What is what, and what is not!? :)

>>>
>>> Hi poma,
>>>
>>>
>>> yes, the NEWS file was wrong.
>>>
>>> Also, as we already found out, another mistake was that wpa-
>>> supplicant
>>> support is not yet available in 2.4. It is currently only on master
>>> (and will be in supplicant version 2.6)
>>> -- unless we backport it, for which you opened a Fedora bug (thank
>>> you).
>>>
>>>
>>> Lubo's "but are leaving it off." statement means:
>>> if you leave the per-connection setting wifi.mac-address-
>>> randomization
>>> at "default", then the default means "off"
>>> -- unless you overwrite it via a global default value in
>>> /etc/NetworkManager/NetworkManager.conf, see `man
>>> NetworkManager.conf`.
>>>
>>>
>>>
>>> Does this resolve all unclarities?
>>>
>>
>> Of course!
>>
>> Here's the answer to your question - "Why do you say that "rand-mac"
>> does not work?"
>>
>>
>>  == Client ==
>>
>> # cat /sys/class/net/wlp0s2f1u3/address
>> 00:aa:bb:cc:dd:ee
>>
>>
>> # journalctl -o cat -b -u NetworkManager
>> ...
>> NetworkManager[2125]:  [[...]] platform: signal: link changed:
>> 

Re: How to activate MAC address randomization?

[Dan Williams]

On Fri, 2016-05-20 at 19:03 +0200, poma wrote:
> On 19.05.2016 12:22, Thomas Haller wrote:
> > 
> > On Thu, 2016-05-19 at 01:41 +0200, poma wrote:
> > > 
> > > On 18.05.2016 16:49, Thomas Haller wrote:
> > > > 
> > > >  
> > > I actually have a question for you, and Lubo;
> > > 
> > > In the wpa_supplicant, Pre-association MAC random-ization is
> > > disabled
> > > per default:
> > > 
> > > https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n964
> > > PreassocMacAddr
> > > Pre-association MAC address policy
> > > 
> > > https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf
> > > #n41
> > > 8
> > > # MAC address policy for pre-association operations (scanning,
> > > ANQP)
> > > # 0 = use permanent MAC address
> > > # 1 = use random MAC address
> > > # 2 = like 1, but maintain OUI (with local admin bit set)
> > > #preassoc_mac_addr=0
> > > 
> > > 
> > > and the same was said, toward NetworkManager, in:
> > > 
> > > https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/N
> > > EWS#
> > > n8
> > > * Added an option to enable use of random MAC addresses for Wi-Fi
> > > access
> > > point scanning (defaults to disabled).  Controlled with
> > > 'wifi.mac-address-randomization' property
> > > (MAC_ADDRESS_RANDOMIZATION key in
> > > ifcfg files).
> > Yeah, this is wrong. I fixed it:
> > 
> > https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?
> > id=e0e1c5916073deac49d27a9ee2343073f5fe552a
> > 
> > 
> > 
> > 
> > > 
> > > -but- you said in:
> > > 
> > > https://mail.gnome.org/archives/networkmanager-list/2016-May/msg0
> > > 0042
> > > .html
> > > 
> > > When NM detects support in wpa-supplicant, it always sets
> > > PreassocMacAddr to 1. This setting is only relevant during
> > > scanning,
> > > and thus NM *always* enables it.
> > > 
> > > 
> > > 
> > > -and- as "published" by Lubo in:
> > > 
> > > https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-tra
> > > ckin
> > > g-protection-in-wi-fi-networks
> > > 
> > > What seems like a viable option is randomizing the MAC address
> > > while
> > > scanning,
> > > changing it every now and then,
> > > but still use the hard-wired MAC address for association and
> > > actual
> > > connectivity. [...]
> > > With the upcoming NetworkManager 1.2 we’re doing this too. [...]
> > > With the upcoming NetworkManager 1.2 (when using wpa_supplicant
> > > 2.4
> > > or newer) we’re doing this too.
> > > 
> > > 
> > > 
> > > Is not that, as mentioned in the NEWS, in fact MAC random-ization 
> > > per
> > > connecting, not MAC random-ization per scanning!?
> > You are right.
> > 
> > 
> > 
> > 
> > > 
> > > That is, in the wpa_supplicant, Connection MAC random-ization:
> > > 
> > > https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n954
> > > MacAddr
> > > MAC address policy default
> > > 
> > > https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf
> > > #n40
> > > 5
> > > # MAC address policy default
> > > # 0 = use permanent MAC address
> > > # 1 = use random MAC address for each ESS connection
> > > # 2 = like 1, but maintain OUI (with local admin bit set)
> > > #
> > > # By default, permanent MAC address is used unless policy is
> > > changed
> > > by
> > > # the per-network mac_addr parameter. Global mac_addr=1 can be
> > > used
> > > to
> > > # change this default behavior.
> > > #mac_addr=0
> > > 
> > > 
> > > toward NetworkManager, what -you- said in:
> > > 
> > > https://mail.gnome.org/archives/networkmanager-list/2016-May/msg0
> > > 0042
> > > .html
> > > 
> > > The mac-address-randomization connection-setting on the other
> > > hand,
> > > configures the behavior while being connected.
> > > 
> > > 
> > > 
> > > -and- as "published" by Lubo in:
> > > 
> > > https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-tra
> > > ckin
> > > g-protection-in-wi-fi-networks
> > > 
> > > Could we randomize the permanent address too?
> > > We added option for that to NetworkManager 1.2 too, but are
> > > leaving
> > > it off. [...]
> > > 
> > > 
> > > 
> > > What is what, and what is not!? :)
> > > 
> > 
> > Hi poma,
> > 
> > 
> > yes, the NEWS file was wrong.
> > 
> > Also, as we already found out, another mistake was that wpa-
> > supplicant
> > support is not yet available in 2.4. It is currently only on master
> > (and will be in supplicant version 2.6)
> > -- unless we backport it, for which you opened a Fedora bug (thank
> > you).
> > 
> > 
> > Lubo's "but are leaving it off." statement means:
> > if you leave the per-connection setting wifi.mac-address-
> > randomization
> > at "default", then the default means "off"
> > -- unless you overwrite it via a global default value in
> > /etc/NetworkManager/NetworkManager.conf, see `man
> > NetworkManager.conf`.
> > 
> > 
> > 
> > Does this resolve all unclarities?
> > 
> 
> Of course!
> 
> Here's the answer to your question - "Why do you say that "rand-mac"
> does not work?"
> 
> 
>  == Client ==
> 
> # cat /sys/class/net/wlp0s2f1u3/address
> 00:aa:bb:cc:dd:ee
> 

Re: How to activate MAC address randomization?

[poma]

On 19.05.2016 12:22, Thomas Haller wrote:
> On Thu, 2016-05-19 at 01:41 +0200, poma wrote:
>> On 18.05.2016 16:49, Thomas Haller wrote:
>>>  
>> I actually have a question for you, and Lubo;
>>
>> In the wpa_supplicant, Pre-association MAC random-ization is disabled
>> per default:
>>
>> https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n964
>> PreassocMacAddr
>> Pre-association MAC address policy
>>
>> https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf#n41
>> 8
>> # MAC address policy for pre-association operations (scanning, ANQP)
>> # 0 = use permanent MAC address
>> # 1 = use random MAC address
>> # 2 = like 1, but maintain OUI (with local admin bit set)
>> #preassoc_mac_addr=0
>>
>>
>> and the same was said, toward NetworkManager, in:
>>
>> https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/NEWS#
>> n8
>> * Added an option to enable use of random MAC addresses for Wi-Fi
>> access
>> point scanning (defaults to disabled).  Controlled with
>> 'wifi.mac-address-randomization' property
>> (MAC_ADDRESS_RANDOMIZATION key in
>> ifcfg files).
> 
> Yeah, this is wrong. I fixed it:
> 
> https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=e0e1c5916073deac49d27a9ee2343073f5fe552a
> 
> 
> 
> 
>> -but- you said in:
>>
>> https://mail.gnome.org/archives/networkmanager-list/2016-May/msg00042
>> .html
>> 
>> When NM detects support in wpa-supplicant, it always sets
>> PreassocMacAddr to 1. This setting is only relevant during scanning,
>> and thus NM *always* enables it.
>> 
>>
>>
>> -and- as "published" by Lubo in:
>>
>> https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-trackin
>> g-protection-in-wi-fi-networks
>> 
>> What seems like a viable option is randomizing the MAC address while
>> scanning,
>> changing it every now and then,
>> but still use the hard-wired MAC address for association and actual
>> connectivity. [...]
>> With the upcoming NetworkManager 1.2 we’re doing this too. [...]
>> With the upcoming NetworkManager 1.2 (when using wpa_supplicant 2.4
>> or newer) we’re doing this too.
>> 
>>
>>
>> Is not that, as mentioned in the NEWS, in fact MAC random-ization per
>> connecting, not MAC random-ization per scanning!?
> 
> You are right.
> 
> 
> 
> 
>> That is, in the wpa_supplicant, Connection MAC random-ization:
>>
>> https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n954
>> MacAddr
>> MAC address policy default
>>
>> https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf#n40
>> 5
>> # MAC address policy default
>> # 0 = use permanent MAC address
>> # 1 = use random MAC address for each ESS connection
>> # 2 = like 1, but maintain OUI (with local admin bit set)
>> #
>> # By default, permanent MAC address is used unless policy is changed
>> by
>> # the per-network mac_addr parameter. Global mac_addr=1 can be used
>> to
>> # change this default behavior.
>> #mac_addr=0
>>
>>
>> toward NetworkManager, what -you- said in:
>>
>> https://mail.gnome.org/archives/networkmanager-list/2016-May/msg00042
>> .html
>> 
>> The mac-address-randomization connection-setting on the other hand,
>> configures the behavior while being connected.
>> 
>>
>>
>> -and- as "published" by Lubo in:
>>
>> https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-trackin
>> g-protection-in-wi-fi-networks
>> 
>> Could we randomize the permanent address too?
>> We added option for that to NetworkManager 1.2 too, but are leaving
>> it off. [...]
>> 
>>
>>
>> What is what, and what is not!? :)
>>
> 
> 
> Hi poma,
> 
> 
> yes, the NEWS file was wrong.
> 
> Also, as we already found out, another mistake was that wpa-supplicant
> support is not yet available in 2.4. It is currently only on master
> (and will be in supplicant version 2.6)
> -- unless we backport it, for which you opened a Fedora bug (thank
> you).
> 
> 
> Lubo's "but are leaving it off." statement means:
> if you leave the per-connection setting wifi.mac-address-randomization
> at "default", then the default means "off"
> -- unless you overwrite it via a global default value in
> /etc/NetworkManager/NetworkManager.conf, see `man NetworkManager.conf`.
> 
> 
> 
> Does this resolve all unclarities?
> 


Of course!

Here's the answer to your question - "Why do you say that "rand-mac" does not 
work?"


 == Client ==

# cat /sys/class/net/wlp0s2f1u3/address
00:aa:bb:cc:dd:ee


# journalctl -o cat -b -u NetworkManager
...
NetworkManager[2125]:  [[...]] platform: signal: link changed: 5: 
wlp0s2f1u3  mtu 1500 arp 1 wifi? 
init addrgenmode none addr 00:AA:BB:CC:DD:EE driver mt7601u
NetworkManager[2125]:  [[...]] platform: signal: link changed: 5: 
wlp0s2f1u3  mtu 1500 arp 1 
wifi? init addrgenmode none addr 00:AA:BB:CC:DD:EE driver mt7601u
NetworkManager[2125]:  [[...]] platform: signal: link changed: 5: 
wlp0s2f1u3  mtu 1500 arp 1 
wifi? init addrgenmode 

Re: How to activate MAC address randomization?

[Thomas Haller]

On Sun, 2016-05-15 at 22:36 +0200, fo...@sciunto.org wrote:
> Thank you Thomas for you quick reply.
> 
> 
> > 
> > When you run wpa-supplicant via NetworkManager, NM configures the
> > supplicant via D-Bus. While /etc/wpa_supplicant/wpa_supplicant.conf
> > still is used (depending on your configuration), I don't think it
> > matters nor is does it sound right to do.
> OK, so now, I commented these three options in wpa_supplicant.conf,
> so
> it's back to the default values.
> 
> 
> 
> > 
> > > 
> > > For my SSID, /etc/NetworkManager/system-connections/TNCAP1CA11F,
> > > I
> > > put
> > > mac-address-randomization=2 (I also empty mac-address at some
> > > point).
> > > 
> > > Then, I reload: systemctl reload wpa_supplicant && systemctl
> > > reload
> > > NetworkManager
> > you can edit keyfiles in /etc/NetworkManager/system-connections,
> > but
> > afterwards you must issue `nmcli connection reload` -- not
> > `systemctl
> > reload`. The former reloads connections from disk, the latter
> > reloads
> > NetworkManager configuration.
> > 
> > Well, whatever the details here... Lets just assume after editing
> > the
> > files you did sufficiently reload the involved components :)
> Yes, I always reload both wpa_supplicant and NM before checking a
> configuration. It might be overkill... :)
> but I took this precaution.
> Sorry, I made a typo also, I wanted to write systemctl restart, so
> I'm
> sure that the process is killed.
> 
> 
> > 
> > > 
> > > to check the MAC address. I noticed that a first address
> > > (different
> > > to the
> > > physical one) was attributed but before the connection was
> > > established.
> > You mean, during scanning it was randomized? That sounds right as
> > NM
> > always sets PreassocMacAddr=1
> Yes and yes. That was something positive to me.
> > 
> > 
> > > 
> > > And
> > > then, a second one corresponding to the physical one was used to
> > > establish
> > > the connection. Looking at journalctl -xn confirmed what I saw.
> > > 
> > > I checked with 
> > > nmcli connection show TNCAP1CA11F
> > > that the random field (802-11-wireless.mac-address-randomization) 
> > > was
> > > on
> > > "always". 
> > > 
> > > 
> > > I noticed that if I added a section [connection] in
> > > /etc/NetworkManager/NetworkManager.conf with
> > > wifi.mac-address-randomization=1 and in
> > > /etc/NetworkManager/system-connections/TNCAP1CA11F, I put
> > > mac-address-randomization=1, nmcli connection show TNCAP1CA11F
> > > was on
> > > "never".
> > Editing [connection] section in
> > /etc/NetworkManager/NetworkManager.conf
> > allows you to configure default-values for connection properties.
> > But those default values *only* take effect, when the value in the
> > connection itself is set to "default".
> > 
> > That is, if `nmcli connection show TNCAP1CA11F` gives "never" or
> > "always", the default value is completely ignored, because the per-
> > connection setting is preferred.
> Sorry I was not clear  here. Let me clarify the config in both files
> and
> the output of the command + the MAC address.
> As I write, I redo the tests.
> Case 1:
> * [connection] wifi.mac-address-randomization=1
> * mac-address-randomization=0
> -> default and physical MAC address
> 
> Case 2:
> * [connection] wifi.mac-address-randomization=1
> * mac-address-randomization=1
> -> never and physical MAC address
> 
> Case 3:
> * [connection] wifi.mac-address-randomization=1
> * mac-address-randomization=2
> -> always and physical MAC address
> 
> 
> If I comment the default option (ie I comment lines [connection] and
> the
> next line wifi.mac-address-randomization=1), case 1, 2 and 3, give
> the
> same results.
> 
> The only thing I do not understand is why the mac address is not
> randomized for cases 2 or 3, for an established connection?
> Do you agree that my expectations are correct?

Hi,


don't get confused by the [connection] setting in
/etc/NetworkManager/NetworkManger.conf.


So, if you explicitly set the value per-connection, the default does
not matter. If you want to test this, just set an explicit value to
either "never" or "always".

  nmcli connection modify $CONNECTION \
 802-11-wireless.mac-address-randomization always


 DETAILS:

As described in `man NetworkManager.conf`, [connection] allows you to
overwrite the default-values for certain settings -- iff the setting is
left unspecified in the corresponding per-connection setting.


E.g. if your connection shows

  nmcli connection show $CONNECTION
  802-11-wireless.mac-address-randomization:default

then (and only then), NetworkManager will check whether the default
value is overwritten in NetworkManager.conf.

If also no default value is found in the [connection] section, it
determines the default somehow different:
  - in case of wifi.mac-address-randomization the fallback value is 
    "never"
  - in case of ipv6.ip6-privacy it reads
    /proc/sys/net/ipv6/conf/default/use_tempaddr
  - etc.



Yes, if you want to enable randomization by 

Re: How to activate MAC address randomization?

[Thomas Haller]

On Thu, 2016-05-19 at 01:41 +0200, poma wrote:
> On 18.05.2016 16:49, Thomas Haller wrote:
> > 
> I actually have a question for you, and Lubo;
> 
> In the wpa_supplicant, Pre-association MAC random-ization is disabled
> per default:
> 
> https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n964
> PreassocMacAddr
> Pre-association MAC address policy
> 
> https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf#n41
> 8
> # MAC address policy for pre-association operations (scanning, ANQP)
> # 0 = use permanent MAC address
> # 1 = use random MAC address
> # 2 = like 1, but maintain OUI (with local admin bit set)
> #preassoc_mac_addr=0
> 
> 
> and the same was said, toward NetworkManager, in:
> 
> https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/NEWS#
> n8
> * Added an option to enable use of random MAC addresses for Wi-Fi
> access
> point scanning (defaults to disabled).  Controlled with
> 'wifi.mac-address-randomization' property
> (MAC_ADDRESS_RANDOMIZATION key in
> ifcfg files).

Yeah, this is wrong. I fixed it:

https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=e0e1c5916073deac49d27a9ee2343073f5fe552a




> -but- you said in:
> 
> https://mail.gnome.org/archives/networkmanager-list/2016-May/msg00042
> .html
> 
> When NM detects support in wpa-supplicant, it always sets
> PreassocMacAddr to 1. This setting is only relevant during scanning,
> and thus NM *always* enables it.
> 
> 
> 
> -and- as "published" by Lubo in:
> 
> https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-trackin
> g-protection-in-wi-fi-networks
> 
> What seems like a viable option is randomizing the MAC address while
> scanning,
> changing it every now and then,
> but still use the hard-wired MAC address for association and actual
> connectivity. [...]
> With the upcoming NetworkManager 1.2 we’re doing this too. [...]
> With the upcoming NetworkManager 1.2 (when using wpa_supplicant 2.4
> or newer) we’re doing this too.
> 
> 
> 
> Is not that, as mentioned in the NEWS, in fact MAC random-ization per
> connecting, not MAC random-ization per scanning!?

You are right.




> That is, in the wpa_supplicant, Connection MAC random-ization:
> 
> https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n954
> MacAddr
> MAC address policy default
> 
> https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf#n40
> 5
> # MAC address policy default
> # 0 = use permanent MAC address
> # 1 = use random MAC address for each ESS connection
> # 2 = like 1, but maintain OUI (with local admin bit set)
> #
> # By default, permanent MAC address is used unless policy is changed
> by
> # the per-network mac_addr parameter. Global mac_addr=1 can be used
> to
> # change this default behavior.
> #mac_addr=0
> 
> 
> toward NetworkManager, what -you- said in:
> 
> https://mail.gnome.org/archives/networkmanager-list/2016-May/msg00042
> .html
> 
> The mac-address-randomization connection-setting on the other hand,
> configures the behavior while being connected.
> 
> 
> 
> -and- as "published" by Lubo in:
> 
> https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-trackin
> g-protection-in-wi-fi-networks
> 
> Could we randomize the permanent address too?
> We added option for that to NetworkManager 1.2 too, but are leaving
> it off. [...]
> 
> 
> 
> What is what, and what is not!? :)
> 


Hi poma,


yes, the NEWS file was wrong.

Also, as we already found out, another mistake was that wpa-supplicant
support is not yet available in 2.4. It is currently only on master
(and will be in supplicant version 2.6)
-- unless we backport it, for which you opened a Fedora bug (thank
you).


Lubo's "but are leaving it off." statement means:
if you leave the per-connection setting wifi.mac-address-randomization
at "default", then the default means "off"
-- unless you overwrite it via a global default value in
/etc/NetworkManager/NetworkManager.conf, see `man NetworkManager.conf`.



Does this resolve all unclarities?

Thomas


signature.asc
Description: This is a digitally signed message part
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[Chris Laprise]

On 05/18/2016 02:25 PM, Dan Williams wrote:


Randomization happens in the supplicant, and the supplicant also
controls scanning.  If randomization is enabled, the supplicant will
change the MAC address before it scans, so this should not be a
problem.

Of course, if you run 'iw dev wlan0 scan' manually, that does not go
through the supplicant, and you will leak your MAC.

If you use NM's MAC cloning functionality, then yes, that might leak
your MAC because that only clones the MAC address for the duration of
the connection to a specific access point.  It's not randomization,
it's the same as ethernet MAC cloning.


It does seem like a primary use case for randomization would be random 
addresses during scans only, and transition to chosen non-original 
addresses for connections (per-AP). The users and admins aren't going to 
think to themselves: "We're going to assign different addresses to these 
connections, so we're OK with the hardware address coming through." Not 
if they're using pre-connection randomization (which should be 
considered the operational norm by now).


And its not that connection randomization isn't important, too. I just 
think that pre-connection randomization would work very well towards 
privacy if the 'randomization' were on a per-AP basis and not a 
per-session basis (the latter being less compatible with some 
institutional security schemes). Per-AP is more realistic and far more 
likely to be used.


So I would like to know if NM can coordinate with supplicant well enough 
to transition the NIC between randomized pre-connection scanning and 
statically-spoofed connections without allowing the original address to 
be broadcast.




If you're looking for a more generic MAC randomization feature that
also works for ethernet, then yes that would be NM's responsibility.
  Internally NM would handle ethernet MAC randomization itself, but
delegate to the supplicant for WiFi.  Since the supplicant handles
scanning, it must also handle WiFi MAC randomization to ensure
synchronization of the changes.

Dan


Ethernet is probably not as pressing a concern because of the physical 
link aspect, but thanks for the insight.


Chris

___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[poma]

On 18.05.2016 16:49, Thomas Haller wrote:
> On Wed, 2016-05-18 at 01:36 +0200, poma wrote:
>> On 16.05.2016 23:07, Chris Laprise wrote:
>>>
>>>
>>>
>>> On 05/16/2016 12:03 PM, poma wrote:

 On 13.05.2016 00:16, Dan Williams wrote:
>
> On Fri, 2016-04-29 at 16:09 -0400, Chris Laprise wrote:
>>
>> Hi,
>>
>> I just installed NetworkManager 1.2 in fedora 23 in the hopes
>> that I
>> can
>> get mac randomization working. Only problem is there's no
>> sign of a
>> setting for this in nmcli or the applet. I found a reference
>> to a
>> setting on the NetworkManager.conf manpage which states:
>>
>>  wifi.mac-address-randomization
>>  If left unspecified, MAC address randomization
>> is
>> disabled.
> wpa_supplicant only gained the necessary functionality that
> NetworkManager looks for back in late October 2015.  It was
> committed
> after wpa_supplicant 2.5 but it appears there hasn't been a
> release
> since then.  But once that happens, or if you build supplicant
> version
> from git, NM will begin to use that capability if you've enable
> it in
> the NM configuration.
>
> http://w1.fi/cgit/hostap/commit/?id=e50c50d5a090a6a52af6d92ee3a
> 3c9cc37743747
>
> Dan
>
 dbus: Expose interface globals via D-Bus properties - 2.5
 backport
 https://bugzilla.redhat.com/show_bug.cgi?id=1336495

 Professor, your patch your move ;)
>>> LOL, that's great. I hope this means the feature could land in
>>> Fedora 
>>> 24, which has wpas 2.5.
>>>
>>> Chris
>>>
>> # grep rand /etc/NetworkManager/NetworkManager.conf 
>> wifi.mac-address-randomization=2
> 
> the value 2 here means ALWAYS:
> 
> typedef enum {
> »···NM_SETTING_MAC_RANDOMIZATION_DEFAULT = 0,
> »···NM_SETTING_MAC_RANDOMIZATION_NEVER = 1,
> »···NM_SETTING_MAC_RANDOMIZATION_ALWAYS = 2,
> } NMSettingMacRandomization;
> 
>>
>> # nmcli connection show WiFiRd | grep rand
>> 802-11-wireless.mac-address-randomization:default
> 
> correct, so it is allowed to fallback to the global configuration
> above.
> 
> 
> 
> 
>> # journalctl -o cat -b -u NetworkManager | grep random
>> NetworkManager[2081]:   [...] sup-iface[[...],wlp0s2f1u3]:
>> config: set MAC randomization to 1
> 
> here NM logs the value for the supplicant, that is supplicant's
> "MacAddr" property, it is either 0 (no-rand) or 1 (randomization).
> 
> This is not the numeric value 2 (from NMSettingMacRandomization).
> 
> 
> So, above is correct and as expected (albeit confusing).
> 
> 
>> The problem is that "rand-mac" does not work,
>> tested with patched 2.5 and 2.6-devel,
>> mt7601u and rt2800usb driven devices.
> 
> Why do you say that "rand-mac" does not work?
> 
> 
> 
> Thomas
> 



I actually have a question for you, and Lubo;

In the wpa_supplicant, Pre-association MAC random-ization is disabled per 
default:

https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n964
PreassocMacAddr
Pre-association MAC address policy

https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf#n418
# MAC address policy for pre-association operations (scanning, ANQP)
# 0 = use permanent MAC address
# 1 = use random MAC address
# 2 = like 1, but maintain OUI (with local admin bit set)
#preassoc_mac_addr=0


and the same was said, toward NetworkManager, in:

https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/NEWS#n8
* Added an option to enable use of random MAC addresses for Wi-Fi access
point scanning (defaults to disabled).  Controlled with
'wifi.mac-address-randomization' property (MAC_ADDRESS_RANDOMIZATION key in
ifcfg files).


-but- you said in:

https://mail.gnome.org/archives/networkmanager-list/2016-May/msg00042.html

When NM detects support in wpa-supplicant, it always sets
PreassocMacAddr to 1. This setting is only relevant during scanning,
and thus NM *always* enables it.



-and- as "published" by Lubo in:

https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-tracking-protection-in-wi-fi-networks

What seems like a viable option is randomizing the MAC address while scanning,
changing it every now and then,
but still use the hard-wired MAC address for association and actual 
connectivity. [...]
With the upcoming NetworkManager 1.2 we’re doing this too. [...]
With the upcoming NetworkManager 1.2 (when using wpa_supplicant 2.4 or newer) 
we’re doing this too.



Is not that, as mentioned in the NEWS, in fact MAC random-ization per 
connecting, not MAC random-ization per scanning!?


That is, in the wpa_supplicant, Connection MAC random-ization:

https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n954
MacAddr
MAC address policy default

https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf#n405
# MAC address policy default
# 0 = use permanent MAC address
# 1 = use random MAC address for each ESS connection
# 2 = like 1, but maintain OUI (with local admin bit set)
#
# By default, permanent MAC 

Re: How to activate MAC address randomization?

[Dan Williams]

On Wed, 2016-05-18 at 11:21 -0400, Chris Laprise wrote:
> 
> On 05/18/2016 08:24 AM, poma wrote:
> > 
> > On 18.05.2016 06:14, Chris Laprise wrote:
> > > 
> > > 
> > > On 05/17/2016 07:36 PM, poma wrote:
> > > > 
> > > > On 16.05.2016 23:07, Chris Laprise wrote:
> > > > > 
> > > > > On 05/16/2016 12:03 PM, poma wrote:
> > > > > > 
> > > > > > On 13.05.2016 00:16, Dan Williams wrote:
> > > > > > > 
> > > > > > > On Fri, 2016-04-29 at 16:09 -0400, Chris Laprise wrote:
> > > > > > > > 
> > > > > > > > Hi,
> > > > > > > > 
> > > > > > > > I just installed NetworkManager 1.2 in fedora 23 in the
> > > > > > > > hopes that I
> > > > > > > > can
> > > > > > > > get mac randomization working. Only problem is there's
> > > > > > > > no sign of a
> > > > > > > > setting for this in nmcli or the applet. I found a
> > > > > > > > reference to a
> > > > > > > > setting on the NetworkManager.conf manpage which
> > > > > > > > states:
> > > > > > > > 
> > > > > > > >    wifi.mac-address-randomization
> > > > > > > >    If left unspecified, MAC address
> > > > > > > > randomization is
> > > > > > > > disabled.
> > > > > > > wpa_supplicant only gained the necessary functionality
> > > > > > > that
> > > > > > > NetworkManager looks for back in late October 2015.  It
> > > > > > > was committed
> > > > > > > after wpa_supplicant 2.5 but it appears there hasn't been
> > > > > > > a release
> > > > > > > since then.  But once that happens, or if you build
> > > > > > > supplicant version
> > > > > > > from git, NM will begin to use that capability if you've
> > > > > > > enable it in
> > > > > > > the NM configuration.
> > > > > > > 
> > > > > > > http://w1.fi/cgit/hostap/commit/?id=e50c50d5a090a6a52af6d
> > > > > > > 92ee3a3c9cc37743747
> > > > > > > 
> > > > > > > Dan
> > > > > > > 
> > > > > > dbus: Expose interface globals via D-Bus properties - 2.5
> > > > > > backport
> > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1336495
> > > > > > 
> > > > > > Professor, your patch your move ;)
> > > > > LOL, that's great. I hope this means the feature could land
> > > > > in Fedora
> > > > > 24, which has wpas 2.5.
> > > > > 
> > > > > Chris
> > > > > 
> > > > # grep rand /etc/NetworkManager/NetworkManager.conf
> > > > wifi.mac-address-randomization=2
> > > > 
> > > > # nmcli connection show WiFiRd | grep rand
> > > > 802-11-wireless.mac-address-randomization:default
> > > > 
> > > > # journalctl -o cat -b -u NetworkManager | grep random
> > > > NetworkManager[2081]:   [...] sup-
> > > > iface[[...],wlp0s2f1u3]: config: set MAC randomization to 1
> > > > 
> > > > 
> > > > The problem is that "rand-mac" does not work,
> > > > tested with patched 2.5 and 2.6-devel,
> > > > mt7601u and rt2800usb driven devices.
> > > > 
> > > Does this leave us with fully functional pre-connection
> > > randomization
> > > anyway? I would define 'full function' as the original mac addr
> > > not
> > > being broadcast when Network Manager scans then connects using
> > > either of
> > > the following:
> > > 
> > > 1. A random address for any target AP
> > > 2. A static spoofed address for a predefined NM connection
> > > 
> > > The second case, at least, puts control of disclosure of the
> > > original
> > > 'hardware' address in the hands of the user. That is a big step
> > > in the
> > > right direction.
> > > 
> > > I would also like to know if the second case is already possible
> > > with
> > > the current unpatched releases of nm and wpas.
> > > 
> > > Many thanks,
> > > Chris
> > > 
> > 2nd - 'cloned-mac-address' is there, if not from the very beginning
> My concern here is just that some implementation detail will cause
> the 
> original address to be announced anyway. For instance, mac addresses 
> have a habit of reverting to original when waking a system from
> sleep. 
> Conceivably, a scan could take place with original address before 
> connection is re-established using assigned address.

Randomization happens in the supplicant, and the supplicant also
controls scanning.  If randomization is enabled, the supplicant will
change the MAC address before it scans, so this should not be a
problem.

Of course, if you run 'iw dev wlan0 scan' manually, that does not go
through the supplicant, and you will leak your MAC.

If you use NM's MAC cloning functionality, then yes, that might leak
your MAC because that only clones the MAC address for the duration of
the connection to a specific access point.  It's not randomization,
it's the same as ethernet MAC cloning.

> So, a static spoofing function written for past use cases (which
> didn't 
> grapple with concealment) may be different than a spoofing function
> that 
> works to conceal original addresses.
> 
> > 
> > 
> > 1st - 'mac-address-randomization' i.e. "dynamic" version of the
> > 2nd,
> > works like this - observing 'watch -n.1 macchanger -s
> > wlp0s2f1u3'
> > it randomizes "Current MAC" value,
> > e.g.
> > Current MAC:   

Re: How to activate MAC address randomization?

[Chris Laprise]

On 05/18/2016 08:24 AM, poma wrote:

On 18.05.2016 06:14, Chris Laprise wrote:


On 05/17/2016 07:36 PM, poma wrote:

On 16.05.2016 23:07, Chris Laprise wrote:

On 05/16/2016 12:03 PM, poma wrote:

On 13.05.2016 00:16, Dan Williams wrote:

On Fri, 2016-04-29 at 16:09 -0400, Chris Laprise wrote:

Hi,

I just installed NetworkManager 1.2 in fedora 23 in the hopes that I
can
get mac randomization working. Only problem is there's no sign of a
setting for this in nmcli or the applet. I found a reference to a
setting on the NetworkManager.conf manpage which states:

   wifi.mac-address-randomization
   If left unspecified, MAC address randomization is
disabled.

wpa_supplicant only gained the necessary functionality that
NetworkManager looks for back in late October 2015.  It was committed
after wpa_supplicant 2.5 but it appears there hasn't been a release
since then.  But once that happens, or if you build supplicant version
from git, NM will begin to use that capability if you've enable it in
the NM configuration.

http://w1.fi/cgit/hostap/commit/?id=e50c50d5a090a6a52af6d92ee3a3c9cc37743747

Dan


dbus: Expose interface globals via D-Bus properties - 2.5 backport
https://bugzilla.redhat.com/show_bug.cgi?id=1336495

Professor, your patch your move ;)

LOL, that's great. I hope this means the feature could land in Fedora
24, which has wpas 2.5.

Chris


# grep rand /etc/NetworkManager/NetworkManager.conf
wifi.mac-address-randomization=2

# nmcli connection show WiFiRd | grep rand
802-11-wireless.mac-address-randomization:default

# journalctl -o cat -b -u NetworkManager | grep random
NetworkManager[2081]:   [...] sup-iface[[...],wlp0s2f1u3]: config: set 
MAC randomization to 1


The problem is that "rand-mac" does not work,
tested with patched 2.5 and 2.6-devel,
mt7601u and rt2800usb driven devices.


Does this leave us with fully functional pre-connection randomization
anyway? I would define 'full function' as the original mac addr not
being broadcast when Network Manager scans then connects using either of
the following:

1. A random address for any target AP
2. A static spoofed address for a predefined NM connection

The second case, at least, puts control of disclosure of the original
'hardware' address in the hands of the user. That is a big step in the
right direction.

I would also like to know if the second case is already possible with
the current unpatched releases of nm and wpas.

Many thanks,
Chris



2nd - 'cloned-mac-address' is there, if not from the very beginning
My concern here is just that some implementation detail will cause the 
original address to be announced anyway. For instance, mac addresses 
have a habit of reverting to original when waking a system from sleep. 
Conceivably, a scan could take place with original address before 
connection is re-established using assigned address.


So, a static spoofing function written for past use cases (which didn't 
grapple with concealment) may be different than a spoofing function that 
works to conceal original addresses.




1st - 'mac-address-randomization' i.e. "dynamic" version of the 2nd,
works like this - observing 'watch -n.1 macchanger -s wlp0s2f1u3'
it randomizes "Current MAC" value,
e.g.
Current MAC:   ea:1q:3w:z5:y8:ae  <=
Permanent MAC: 00:11:22:33:44:55

but during connection attempts it returns
to the original - "Permanent MAC" value,
e.g.
Current MAC:   00:11:22:33:44:55  <=
Permanent MAC: 00:11:22:33:44:55


But not quite simply a dynamic version of NM cloning, as NM didn't use 
macchanger. How hard would it be to move random number code into NM? 
Then it could have the same reliability as spoofing with a static address.


Chris

___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[Thomas Haller]

On Wed, 2016-05-18 at 01:36 +0200, poma wrote:
> On 16.05.2016 23:07, Chris Laprise wrote:
> > 
> > 
> > 
> > On 05/16/2016 12:03 PM, poma wrote:
> > > 
> > > On 13.05.2016 00:16, Dan Williams wrote:
> > > > 
> > > > On Fri, 2016-04-29 at 16:09 -0400, Chris Laprise wrote:
> > > > > 
> > > > > Hi,
> > > > > 
> > > > > I just installed NetworkManager 1.2 in fedora 23 in the hopes
> > > > > that I
> > > > > can
> > > > > get mac randomization working. Only problem is there's no
> > > > > sign of a
> > > > > setting for this in nmcli or the applet. I found a reference
> > > > > to a
> > > > > setting on the NetworkManager.conf manpage which states:
> > > > > 
> > > > >  wifi.mac-address-randomization
> > > > >  If left unspecified, MAC address randomization
> > > > > is
> > > > > disabled.
> > > > wpa_supplicant only gained the necessary functionality that
> > > > NetworkManager looks for back in late October 2015.  It was
> > > > committed
> > > > after wpa_supplicant 2.5 but it appears there hasn't been a
> > > > release
> > > > since then.  But once that happens, or if you build supplicant
> > > > version
> > > > from git, NM will begin to use that capability if you've enable
> > > > it in
> > > > the NM configuration.
> > > > 
> > > > http://w1.fi/cgit/hostap/commit/?id=e50c50d5a090a6a52af6d92ee3a
> > > > 3c9cc37743747
> > > > 
> > > > Dan
> > > > 
> > > dbus: Expose interface globals via D-Bus properties - 2.5
> > > backport
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1336495
> > > 
> > > Professor, your patch your move ;)
> > LOL, that's great. I hope this means the feature could land in
> > Fedora 
> > 24, which has wpas 2.5.
> > 
> > Chris
> > 
> # grep rand /etc/NetworkManager/NetworkManager.conf 
> wifi.mac-address-randomization=2

the value 2 here means ALWAYS:

typedef enum {
»···NM_SETTING_MAC_RANDOMIZATION_DEFAULT = 0,
»···NM_SETTING_MAC_RANDOMIZATION_NEVER = 1,
»···NM_SETTING_MAC_RANDOMIZATION_ALWAYS = 2,
} NMSettingMacRandomization;

> 
> # nmcli connection show WiFiRd | grep rand
> 802-11-wireless.mac-address-randomization:default

correct, so it is allowed to fallback to the global configuration
above.




> # journalctl -o cat -b -u NetworkManager | grep random
> NetworkManager[2081]:   [...] sup-iface[[...],wlp0s2f1u3]:
> config: set MAC randomization to 1

here NM logs the value for the supplicant, that is supplicant's
"MacAddr" property, it is either 0 (no-rand) or 1 (randomization).

This is not the numeric value 2 (from NMSettingMacRandomization).


So, above is correct and as expected (albeit confusing).


> The problem is that "rand-mac" does not work,
> tested with patched 2.5 and 2.6-devel,
> mt7601u and rt2800usb driven devices.

Why do you say that "rand-mac" does not work?



Thomas

signature.asc
Description: This is a digitally signed message part
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[poma]

On 18.05.2016 06:14, Chris Laprise wrote:
> 
> 
> On 05/17/2016 07:36 PM, poma wrote:
>> On 16.05.2016 23:07, Chris Laprise wrote:
>>>
>>> On 05/16/2016 12:03 PM, poma wrote:
 On 13.05.2016 00:16, Dan Williams wrote:
> On Fri, 2016-04-29 at 16:09 -0400, Chris Laprise wrote:
>> Hi,
>>
>> I just installed NetworkManager 1.2 in fedora 23 in the hopes that I
>> can
>> get mac randomization working. Only problem is there's no sign of a
>> setting for this in nmcli or the applet. I found a reference to a
>> setting on the NetworkManager.conf manpage which states:
>>
>>   wifi.mac-address-randomization
>>   If left unspecified, MAC address randomization is
>> disabled.
> wpa_supplicant only gained the necessary functionality that
> NetworkManager looks for back in late October 2015.  It was committed
> after wpa_supplicant 2.5 but it appears there hasn't been a release
> since then.  But once that happens, or if you build supplicant version
> from git, NM will begin to use that capability if you've enable it in
> the NM configuration.
>
> http://w1.fi/cgit/hostap/commit/?id=e50c50d5a090a6a52af6d92ee3a3c9cc37743747
>
> Dan
>
 dbus: Expose interface globals via D-Bus properties - 2.5 backport
 https://bugzilla.redhat.com/show_bug.cgi?id=1336495

 Professor, your patch your move ;)
>>> LOL, that's great. I hope this means the feature could land in Fedora
>>> 24, which has wpas 2.5.
>>>
>>> Chris
>>>
>> # grep rand /etc/NetworkManager/NetworkManager.conf
>> wifi.mac-address-randomization=2
>>
>> # nmcli connection show WiFiRd | grep rand
>> 802-11-wireless.mac-address-randomization:default
>>
>> # journalctl -o cat -b -u NetworkManager | grep random
>> NetworkManager[2081]:   [...] sup-iface[[...],wlp0s2f1u3]: config: set 
>> MAC randomization to 1
>>
>>
>> The problem is that "rand-mac" does not work,
>> tested with patched 2.5 and 2.6-devel,
>> mt7601u and rt2800usb driven devices.
>>
> Does this leave us with fully functional pre-connection randomization 
> anyway? I would define 'full function' as the original mac addr not 
> being broadcast when Network Manager scans then connects using either of 
> the following:
> 
> 1. A random address for any target AP
> 2. A static spoofed address for a predefined NM connection
> 
> The second case, at least, puts control of disclosure of the original 
> 'hardware' address in the hands of the user. That is a big step in the 
> right direction.
> 
> I would also like to know if the second case is already possible with 
> the current unpatched releases of nm and wpas.
> 
> Many thanks,
> Chris
> 


2nd - 'cloned-mac-address' is there, if not from the very beginning

1st - 'mac-address-randomization' i.e. "dynamic" version of the 2nd,
   works like this - observing 'watch -n.1 macchanger -s wlp0s2f1u3'
   it randomizes "Current MAC" value,
   e.g.
   Current MAC:   ea:1q:3w:z5:y8:ae  <=
   Permanent MAC: 00:11:22:33:44:55

   but during connection attempts it returns
   to the original - "Permanent MAC" value,
   e.g.
   Current MAC:   00:11:22:33:44:55  <=
   Permanent MAC: 00:11:22:33:44:55


___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[Chris Laprise]

On 05/17/2016 07:36 PM, poma wrote:

On 16.05.2016 23:07, Chris Laprise wrote:


On 05/16/2016 12:03 PM, poma wrote:

On 13.05.2016 00:16, Dan Williams wrote:

On Fri, 2016-04-29 at 16:09 -0400, Chris Laprise wrote:

Hi,

I just installed NetworkManager 1.2 in fedora 23 in the hopes that I
can
get mac randomization working. Only problem is there's no sign of a
setting for this in nmcli or the applet. I found a reference to a
setting on the NetworkManager.conf manpage which states:

  wifi.mac-address-randomization
  If left unspecified, MAC address randomization is
disabled.

wpa_supplicant only gained the necessary functionality that
NetworkManager looks for back in late October 2015.  It was committed
after wpa_supplicant 2.5 but it appears there hasn't been a release
since then.  But once that happens, or if you build supplicant version
from git, NM will begin to use that capability if you've enable it in
the NM configuration.

http://w1.fi/cgit/hostap/commit/?id=e50c50d5a090a6a52af6d92ee3a3c9cc37743747

Dan


dbus: Expose interface globals via D-Bus properties - 2.5 backport
https://bugzilla.redhat.com/show_bug.cgi?id=1336495

Professor, your patch your move ;)

LOL, that's great. I hope this means the feature could land in Fedora
24, which has wpas 2.5.

Chris


# grep rand /etc/NetworkManager/NetworkManager.conf
wifi.mac-address-randomization=2

# nmcli connection show WiFiRd | grep rand
802-11-wireless.mac-address-randomization:default

# journalctl -o cat -b -u NetworkManager | grep random
NetworkManager[2081]:   [...] sup-iface[[...],wlp0s2f1u3]: config: set 
MAC randomization to 1


The problem is that "rand-mac" does not work,
tested with patched 2.5 and 2.6-devel,
mt7601u and rt2800usb driven devices.

Does this leave us with fully functional pre-connection randomization 
anyway? I would define 'full function' as the original mac addr not 
being broadcast when Network Manager scans then connects using either of 
the following:


1. A random address for any target AP
2. A static spoofed address for a predefined NM connection

The second case, at least, puts control of disclosure of the original 
'hardware' address in the hands of the user. That is a big step in the 
right direction.


I would also like to know if the second case is already possible with 
the current unpatched releases of nm and wpas.


Many thanks,
Chris

___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[poma]

On 16.05.2016 23:07, Chris Laprise wrote:
> 
> 
> On 05/16/2016 12:03 PM, poma wrote:
>> On 13.05.2016 00:16, Dan Williams wrote:
>>> On Fri, 2016-04-29 at 16:09 -0400, Chris Laprise wrote:
 Hi,

 I just installed NetworkManager 1.2 in fedora 23 in the hopes that I
 can
 get mac randomization working. Only problem is there's no sign of a
 setting for this in nmcli or the applet. I found a reference to a
 setting on the NetworkManager.conf manpage which states:

  wifi.mac-address-randomization
  If left unspecified, MAC address randomization is
 disabled.
>>> wpa_supplicant only gained the necessary functionality that
>>> NetworkManager looks for back in late October 2015.  It was committed
>>> after wpa_supplicant 2.5 but it appears there hasn't been a release
>>> since then.  But once that happens, or if you build supplicant version
>>> from git, NM will begin to use that capability if you've enable it in
>>> the NM configuration.
>>>
>>> http://w1.fi/cgit/hostap/commit/?id=e50c50d5a090a6a52af6d92ee3a3c9cc37743747
>>>
>>> Dan
>>>
>> dbus: Expose interface globals via D-Bus properties - 2.5 backport
>> https://bugzilla.redhat.com/show_bug.cgi?id=1336495
>>
>> Professor, your patch your move ;)
> 
> LOL, that's great. I hope this means the feature could land in Fedora 
> 24, which has wpas 2.5.
> 
> Chris
> 

# grep rand /etc/NetworkManager/NetworkManager.conf 
wifi.mac-address-randomization=2

# nmcli connection show WiFiRd | grep rand
802-11-wireless.mac-address-randomization:default

# journalctl -o cat -b -u NetworkManager | grep random
NetworkManager[2081]:   [...] sup-iface[[...],wlp0s2f1u3]: config: set 
MAC randomization to 1


The problem is that "rand-mac" does not work,
tested with patched 2.5 and 2.6-devel,
mt7601u and rt2800usb driven devices.


___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[Chris Laprise]

On 05/16/2016 12:03 PM, poma wrote:

On 13.05.2016 00:16, Dan Williams wrote:

On Fri, 2016-04-29 at 16:09 -0400, Chris Laprise wrote:

Hi,

I just installed NetworkManager 1.2 in fedora 23 in the hopes that I
can
get mac randomization working. Only problem is there's no sign of a
setting for this in nmcli or the applet. I found a reference to a
setting on the NetworkManager.conf manpage which states:

 wifi.mac-address-randomization
 If left unspecified, MAC address randomization is
disabled.

wpa_supplicant only gained the necessary functionality that
NetworkManager looks for back in late October 2015.  It was committed
after wpa_supplicant 2.5 but it appears there hasn't been a release
since then.  But once that happens, or if you build supplicant version
from git, NM will begin to use that capability if you've enable it in
the NM configuration.

http://w1.fi/cgit/hostap/commit/?id=e50c50d5a090a6a52af6d92ee3a3c9cc37743747

Dan


dbus: Expose interface globals via D-Bus properties - 2.5 backport
https://bugzilla.redhat.com/show_bug.cgi?id=1336495

Professor, your patch your move ;)


LOL, that's great. I hope this means the feature could land in Fedora 
24, which has wpas 2.5.


Chris
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[poma]

On 13.05.2016 00:16, Dan Williams wrote:
> On Fri, 2016-04-29 at 16:09 -0400, Chris Laprise wrote:
>> Hi,
>>
>> I just installed NetworkManager 1.2 in fedora 23 in the hopes that I
>> can 
>> get mac randomization working. Only problem is there's no sign of a 
>> setting for this in nmcli or the applet. I found a reference to a 
>> setting on the NetworkManager.conf manpage which states:
>>
>> wifi.mac-address-randomization
>> If left unspecified, MAC address randomization is
>> disabled.
> 
> wpa_supplicant only gained the necessary functionality that
> NetworkManager looks for back in late October 2015.  It was committed
> after wpa_supplicant 2.5 but it appears there hasn't been a release
> since then.  But once that happens, or if you build supplicant version
> from git, NM will begin to use that capability if you've enable it in
> the NM configuration.
> 
> http://w1.fi/cgit/hostap/commit/?id=e50c50d5a090a6a52af6d92ee3a3c9cc37743747
> 
> Dan
> 

dbus: Expose interface globals via D-Bus properties - 2.5 backport
https://bugzilla.redhat.com/show_bug.cgi?id=1336495

Professor, your patch your move ;)


___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[forum]

Thank you Thomas for you quick reply.


> When you run wpa-supplicant via NetworkManager, NM configures the
> supplicant via D-Bus. While /etc/wpa_supplicant/wpa_supplicant.conf
> still is used (depending on your configuration), I don't think it
> matters nor is does it sound right to do.

OK, so now, I commented these three options in wpa_supplicant.conf, so
it's back to the default values.



>> For my SSID, /etc/NetworkManager/system-connections/TNCAP1CA11F, I
>> put
>> mac-address-randomization=2 (I also empty mac-address at some point).
>>
>> Then, I reload: systemctl reload wpa_supplicant && systemctl reload
>> NetworkManager
> you can edit keyfiles in /etc/NetworkManager/system-connections, but
> afterwards you must issue `nmcli connection reload` -- not `systemctl
> reload`. The former reloads connections from disk, the latter reloads
> NetworkManager configuration.
>
> Well, whatever the details here... Lets just assume after editing the
> files you did sufficiently reload the involved components :)

Yes, I always reload both wpa_supplicant and NM before checking a
configuration. It might be overkill... :)
but I took this precaution.
Sorry, I made a typo also, I wanted to write systemctl restart, so I'm
sure that the process is killed.


>> to check the MAC address. I noticed that a first address (different
>> to the
>> physical one) was attributed but before the connection was
>> established.
> You mean, during scanning it was randomized? That sounds right as NM
> always sets PreassocMacAddr=1

Yes and yes. That was something positive to me.
>
>> And
>> then, a second one corresponding to the physical one was used to
>> establish
>> the connection. Looking at journalctl -xn confirmed what I saw.
>>
>> I checked with 
>> nmcli connection show TNCAP1CA11F
>> that the random field (802-11-wireless.mac-address-randomization) was
>> on
>> "always". 
>>
>>
>> I noticed that if I added a section [connection] in
>> /etc/NetworkManager/NetworkManager.conf with
>> wifi.mac-address-randomization=1 and in
>> /etc/NetworkManager/system-connections/TNCAP1CA11F, I put
>> mac-address-randomization=1, nmcli connection show TNCAP1CA11F was on
>> "never".
> Editing [connection] section in /etc/NetworkManager/NetworkManager.conf
> allows you to configure default-values for connection properties.
> But those default values *only* take effect, when the value in the
> connection itself is set to "default".
>
> That is, if `nmcli connection show TNCAP1CA11F` gives "never" or
> "always", the default value is completely ignored, because the per-
> connection setting is preferred.

Sorry I was not clear  here. Let me clarify the config in both files and
the output of the command + the MAC address.
As I write, I redo the tests.
Case 1:
* [connection] wifi.mac-address-randomization=1
* mac-address-randomization=0
-> default and physical MAC address

Case 2:
* [connection] wifi.mac-address-randomization=1
* mac-address-randomization=1
-> never and physical MAC address

Case 3:
* [connection] wifi.mac-address-randomization=1
* mac-address-randomization=2
-> always and physical MAC address


If I comment the default option (ie I comment lines [connection] and the
next line wifi.mac-address-randomization=1), case 1, 2 and 3, give the
same results.

The only thing I do not understand is why the mac address is not
randomized for cases 2 or 3, for an established connection?
Do you agree that my expectations are correct?

>
> For the default-value to be used, `nmcli connection show TNCAP1CA11F`
> must show you "mac-address-randomzation=default".
>
I agree.

> You say that you edit various files, but beware that you have to reload
> stuff afterwards.
> For that reason, it's simpler you just do
>
>   nmcli connection modify TNCAP1CA11F \
>  802-11-wireless.mac-address-randomization default
>
>
> -- note that after changing a connection, you must always re-activate
> the connection to take effect.
>
> (that is, `nmcli connection up TNCAP1CA11F`).

As said above, I restart(ed)  wpa_supp and nm with systemctl. Then, I
always check that nm-applet is connected to that SSID before reading the
mac address. I also tried your solution but it is the same as we may guess.

I probably miss something stupid as it seems to work for you.

Thanks.

-- 
François Boulogne.
http://www.sciunto.org
GPG: 32D5F22F


___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[Thomas Haller]

On Sun, 2016-05-15 at 19:28 +, François Boulogne wrote:
> Hi,

Hi,




> I also tried on my side and it didn't work. Here are the details. I'm
> using
> archlinux and I compiled wpa_supplicant from git (cloned today). I'm
> using
> networkmanager 1.2.2.
> 
> In /etc/wpa_supplicant/wpa_supplicant.conf,

When you run wpa-supplicant via NetworkManager, NM configures the
supplicant via D-Bus. While /etc/wpa_supplicant/wpa_supplicant.conf
still is used (depending on your configuration), I don't think it
matters nor is does it sound right to do.

> I turned the options (mac_addr
> (x2) and preassoc_mac_addr) to 1 or 2.

When NM detects support in wpa-supplicant, it always sets
PreassocMacAddr to 1. This setting is only relevant during scanning,
and thus NM *always* enables it.

The mac-address-randomization connection-setting on the other hand,
configures the behavior while being connected.


> For my SSID, /etc/NetworkManager/system-connections/TNCAP1CA11F, I
> put
> mac-address-randomization=2 (I also empty mac-address at some point).
> 
> Then, I reload: systemctl reload wpa_supplicant && systemctl reload
> NetworkManager

you can edit keyfiles in /etc/NetworkManager/system-connections, but
afterwards you must issue `nmcli connection reload` -- not `systemctl
reload`. The former reloads connections from disk, the latter reloads
NetworkManager configuration.

Well, whatever the details here... Lets just assume after editing the
files you did sufficiently reload the involved components :)


> 
> Simultaneously, I used
> 
> watch ip addr show  wlp3s0

> to check the MAC address. I noticed that a first address (different
> to the
> physical one) was attributed but before the connection was
> established.

You mean, during scanning it was randomized? That sounds right as NM
always sets PreassocMacAddr=1

> And
> then, a second one corresponding to the physical one was used to
> establish
> the connection. Looking at journalctl -xn confirmed what I saw.
> 
> I checked with 
> nmcli connection show TNCAP1CA11F
> that the random field (802-11-wireless.mac-address-randomization) was
> on
> "always". 
> 
> 
> I noticed that if I added a section [connection] in
> /etc/NetworkManager/NetworkManager.conf with
> wifi.mac-address-randomization=1 and in
> /etc/NetworkManager/system-connections/TNCAP1CA11F, I put
> mac-address-randomization=1, nmcli connection show TNCAP1CA11F was on
> "never".

Editing [connection] section in /etc/NetworkManager/NetworkManager.conf
allows you to configure default-values for connection properties.
But those default values *only* take effect, when the value in the
connection itself is set to "default".

That is, if `nmcli connection show TNCAP1CA11F` gives "never" or
"always", the default value is completely ignored, because the per-
connection setting is preferred.

For the default-value to be used, `nmcli connection show TNCAP1CA11F`
must show you "mac-address-randomzation=default".


(as explained in `man NetworkManager.conf`).


You say that you edit various files, but beware that you have to reload
stuff afterwards.
For that reason, it's simpler you just do

  nmcli connection modify TNCAP1CA11F \
     802-11-wireless.mac-address-randomization default


-- note that after changing a connection, you must always re-activate
the connection to take effect.

(that is, `nmcli connection up TNCAP1CA11F`).

> I'm puzzled with this. I have no clue where I can be wrong. The doc
> of both
> projects didn't help me much on that. I also tried different
> combinations of
> option, without any success. Any thought?



Thomas

signature.asc
Description: This is a digitally signed message part
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[François Boulogne]

Hi,

I also tried on my side and it didn't work. Here are the details. I'm using
archlinux and I compiled wpa_supplicant from git (cloned today). I'm using
networkmanager 1.2.2.

In /etc/wpa_supplicant/wpa_supplicant.conf, I turned the options (mac_addr
(x2) and preassoc_mac_addr) to 1 or 2.
For my SSID, /etc/NetworkManager/system-connections/TNCAP1CA11F, I put
mac-address-randomization=2 (I also empty mac-address at some point).

Then, I reload: systemctl reload wpa_supplicant && systemctl reload
NetworkManager

Simultaneously, I used

watch ip addr show  wlp3s0

to check the MAC address. I noticed that a first address (different to the
physical one) was attributed but before the connection was established. And
then, a second one corresponding to the physical one was used to establish
the connection. Looking at journalctl -xn confirmed what I saw.

I checked with 
nmcli connection show TNCAP1CA11F
that the random field (802-11-wireless.mac-address-randomization) was on
"always". 


I noticed that if I added a section [connection] in
/etc/NetworkManager/NetworkManager.conf with
wifi.mac-address-randomization=1 and in
/etc/NetworkManager/system-connections/TNCAP1CA11F, I put
mac-address-randomization=1, nmcli connection show TNCAP1CA11F was on "never".


I'm puzzled with this. I have no clue where I can be wrong. The doc of both
projects didn't help me much on that. I also tried different combinations of
option, without any success. Any thought?

Thank you.
François
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[poma]

On 13.05.2016 17:37, Chris Laprise wrote:
> 
> 
> On 05/12/2016 06:16 PM, Dan Williams wrote:
>> On Fri, 2016-04-29 at 16:09 -0400, Chris Laprise wrote:
>>> Hi,
>>>
>>> I just installed NetworkManager 1.2 in fedora 23 in the hopes that I
>>> can
>>> get mac randomization working. Only problem is there's no sign of a
>>> setting for this in nmcli or the applet. I found a reference to a
>>> setting on the NetworkManager.conf manpage which states:
>>>
>>>  wifi.mac-address-randomization
>>>  If left unspecified, MAC address randomization is
>>> disabled.
>> wpa_supplicant only gained the necessary functionality that
>> NetworkManager looks for back in late October 2015.  It was committed
>> after wpa_supplicant 2.5 but it appears there hasn't been a release
>> since then.  But once that happens, or if you build supplicant version
>> from git, NM will begin to use that capability if you've enable it in
>> the NM configuration.
>>
>> http://w1.fi/cgit/hostap/commit/?id=e50c50d5a090a6a52af6d92ee3a3c9cc37743747
>>
>> Dan
>>
> 
> So there is no current release of wpa_supplicant that supports the 
> randomization feature?
> 
> According to Lubomir Rintel and Michael Biebl the feature was released 
> in 2.4.
> 
> https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-tracking-protection-in-wi-fi-networks/
> 
> Chris


- Add support for using random local MAC address
  https://w1.fi/cgit/hostap/commit/wpa_supplicant/wpa_supplicant.conf?id=c267753

-is- part of >= wpa_supplicant 2.4
  https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf?id=918803

- hostapd/wpa_supplicant 2.4
  https://w1.fi/cgit/hostap/tag/?h=hostap_2_4
- Change version information for the 2.4 release
  https://w1.fi/cgit/hostap/commit/?id=918803

but Williams speaks of the necessary elements to do so in the context,

"D-BUS is a system for sending messages between applications. ..."

- dbus: Expose interface globals via D-Bus properties
  https://w1.fi/cgit/hostap/commit/?id=e50c50d


___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[Chris Laprise]

On 05/12/2016 06:16 PM, Dan Williams wrote:

On Fri, 2016-04-29 at 16:09 -0400, Chris Laprise wrote:

Hi,

I just installed NetworkManager 1.2 in fedora 23 in the hopes that I
can
get mac randomization working. Only problem is there's no sign of a
setting for this in nmcli or the applet. I found a reference to a
setting on the NetworkManager.conf manpage which states:

 wifi.mac-address-randomization
 If left unspecified, MAC address randomization is
disabled.

wpa_supplicant only gained the necessary functionality that
NetworkManager looks for back in late October 2015.  It was committed
after wpa_supplicant 2.5 but it appears there hasn't been a release
since then.  But once that happens, or if you build supplicant version
from git, NM will begin to use that capability if you've enable it in
the NM configuration.

http://w1.fi/cgit/hostap/commit/?id=e50c50d5a090a6a52af6d92ee3a3c9cc37743747

Dan



So there is no current release of wpa_supplicant that supports the 
randomization feature?


According to Lubomir Rintel and Michael Biebl the feature was released 
in 2.4.


https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-tracking-protection-in-wi-fi-networks/

Chris
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[Dan Williams]

On Fri, 2016-04-29 at 16:09 -0400, Chris Laprise wrote:
> Hi,
> 
> I just installed NetworkManager 1.2 in fedora 23 in the hopes that I
> can 
> get mac randomization working. Only problem is there's no sign of a 
> setting for this in nmcli or the applet. I found a reference to a 
> setting on the NetworkManager.conf manpage which states:
> 
> wifi.mac-address-randomization
> If left unspecified, MAC address randomization is
> disabled.

wpa_supplicant only gained the necessary functionality that
NetworkManager looks for back in late October 2015.  It was committed
after wpa_supplicant 2.5 but it appears there hasn't been a release
since then.  But once that happens, or if you build supplicant version
from git, NM will begin to use that capability if you've enable it in
the NM configuration.

http://w1.fi/cgit/hostap/commit/?id=e50c50d5a090a6a52af6d92ee3a3c9cc37743747

Dan
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[Chris Laprise]

On 04/29/2016 09:07 PM, Thomas Haller wrote:

On Fri, 2016-04-29 at 16:09 -0400, Chris Laprise wrote:

Hi,

I just installed NetworkManager 1.2 in fedora 23 in the hopes that I
can
get mac randomization working. Only problem is there's no sign of a
setting for this in nmcli or the applet. I found a reference to a
setting on the NetworkManager.conf manpage which states:

 wifi.mac-address-randomization
 If left unspecified, MAC address randomization is
disabled.

But its not clear what range of values should be specified here. The
nm-settings manpage suggests this is a valid way to turn on
randomization:


[connection]
wifi.mac-address-randomization=2

...in /etc/NetworkManager/NetworkManager.conf

However, it has no effect. I'm not sure what I'm missing here.

Hi,


How can you tell that it has no effect?


Hi,

I can tell its not randomizing when I check the address from ifconfig or 
'macchanger -s'. The original address is shown.



Setting default values in /etc/NetworkManager/NetworkManager.conf would
work, for that you need to leave the per-connection value at "default".
After editing the connection, you must always reload with `killall
-SIGHUP NetworkManager`.


So if my NetworkManager.conf looks like the following, it should work...?

   [main]
   plugins=keyfile

   [connection]
   wifi.mac-address-randomization=2

   [logging]
   #level=DEBUG
   [keyfile]
   unmanaged-devices=mac:fe:ff:ff:ff:ff:ff


The 'unmanaged' line is a reference to Qubes virtual interfaces; it 
should have no bearing on wifi.



mac-address-randomization requires support by Hardware and wpa-
supplicant. On Fedora23 I get a failure and the logfile reads:

   device (wlp3s0): Activation: (wifi) couldn't build wireless configuration: 
802-11-wireless: cannot enable mac-randomization due to missing supplicant 
support


Which log... dmesg or journalctl NetworkManager.service ?

The version of wpa_supplicant I have in f23 is 2.4. This should support 
the feature. But I think you're implying that iwlwifi and/or the 
hardware are also a factor. What would be helpful is a list of hardware 
and driver versions that are known to work with randomization.



Thomas


Thanks,
Chris
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[Thomas Haller]

On Fri, 2016-04-29 at 16:09 -0400, Chris Laprise wrote:
> Hi,
> 
> I just installed NetworkManager 1.2 in fedora 23 in the hopes that I
> can 
> get mac randomization working. Only problem is there's no sign of a 
> setting for this in nmcli or the applet. I found a reference to a 
> setting on the NetworkManager.conf manpage which states:
> 
> wifi.mac-address-randomization
> If left unspecified, MAC address randomization is
> disabled.
> 
> But its not clear what range of values should be specified here. The 
> nm-settings manpage suggests this is a valid way to turn on
> randomization:
> 
> > 
> > [connection]
> > wifi.mac-address-randomization=2
> ...in /etc/NetworkManager/NetworkManager.conf
> 
> However, it has no effect. I'm not sure what I'm missing here.

Hi,


How can you tell that it has no effect?


See `man nm-settings`, or

$ nmcli connection edit $WIFI_CONNECTION
> describe wifi.mac-address-randomization



Verify the setting with
$ nmcli connection show $WIFI_CONNECTION



Setting default values in /etc/NetworkManager/NetworkManager.conf would
work, for that you need to leave the per-connection value at "default".
After editing the connection, you must always reload with `killall
-SIGHUP NetworkManager`.



mac-address-randomization requires support by Hardware and wpa-
supplicant. On Fedora23 I get a failure and the logfile reads:

  device (wlp3s0): Activation: (wifi) couldn't build wireless configuration: 
802-11-wireless: cannot enable mac-randomization due to missing supplicant 
support



Thomas


signature.asc
Description: This is a digitally signed message part
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: How to activate MAC address randomization?

[Thomas Haller]

On Fri, 2016-04-29 at 16:09 -0400, Chris Laprise wrote:
> 
> Hi,
> 
> I just installed NetworkManager 1.2 in fedora 23 in the hopes that I
> can 
> get mac randomization working. Only problem is there's no sign of a 
> setting for this in nmcli or the applet. I found a reference to a 
> setting on the NetworkManager.conf manpage which states:
> 
> wifi.mac-address-randomization
> If left unspecified, MAC address randomization is
> disabled.
> 
> But its not clear what range of values should be specified here. The 
> nm-settings manpage suggests this is a valid way to turn on
> randomization:
> 
> > 
> > 
> > [connection]
> > wifi.mac-address-randomization=2
> ...in /etc/NetworkManager/NetworkManager.conf
> 
> However, it has no effect. I'm not sure what I'm missing here.


Hi,


How can you tell that it has no effect?


See `man nm-settings`, or

$ nmcli connection edit $WIFI_CONNECTION
> describe wifi.mac-address-randomization


Verify the setting with
$ nmcli connection show $WIFI_CONNECTION



Setting default values in /etc/NetworkManager/NetworkManager.conf would
work, for that you need to leave the per-connection value at "default".
After editing the connection, you must always reload with `killall
-SIGHUP NetworkManager`.



mac-address-randomization requires support by Hardware and wpa-
supplicant. On Fedora23 I get a failure and the logfile reads:

  device (wlp3s0): Activation: (wifi) couldn't build wireless
configuration: 802-11-wireless: cannot enable mac-randomization due to
missing supplicant support



Thomas

signature.asc
Description: This is a digitally signed message part
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list