Justin,
Thank you for pointing out that most management systems (AirWave, etc) use the
MAC address as a unique identifier - it is supposed to be a unique hardware
address.
I've seen indication of that MAC on our Airwave Management Platform at Emory
and can deduce we had 3-4 unique visitors, mostly on our guest network, but no
successful authentications on our WPA-Enterprise network. The first sighting
was on 07/23/2010, there was a sighting on 09/01/2010, and the last time I saw
that MAC (possibly two separate users) was on 09/16/2010. I do have two
different email addresses for the last two sightings, but will probably not
pursue this further unless we have more sightings. This doesn't seem like a
big issue here, but it is troubling if a manufacturer is putting out product
with duplicate unique hardware identifiers (MAC addresses).
>>-> Stan Brooks - CWNA/CWSP
Emory University
University Technology Services
404.727.0226
AIM/Y!/Twitter: WLANstan
MSN: wlans...@hotmail.com<mailto:wlans...@hotmail.com>
GoogleTalk: wlans...@gmail.com<mailto:wlans...@gmail.com>
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C
Sent: Monday, September 27, 2010 11:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
keep in mind that in airwave, the clients are uniquely identified by their mac
address, so you'll need to check if multiple usernames show up associated to
this single mac address, if this is the case, most likely it is multiple
clients with either a manually configured mac address (due to WEP sniffing
guides on the internet) or with possibly defective wireless NICs.
Airwave (and other monitoring systems) won't be able to show you the "real"
manufacturer because they're only performing a standard oui lookup on the first
3 octet. what James (YorkU) did is the next logical step in trying to identify
these clients by other metrics (hostname, useragent, etc) depending on how much
time and interest you have in this.
We've seen at least 4 users all claiming to be 00:11:22:33:44:55 in the past
week and we're internally discussing options on how to deal with this issue.
-----
Justin Hao
CCNA
Network Engineer, ITS Networking
The University of Texas at Austin
j...@austin.utexas.edu<mailto:j...@austin.utexas.edu>
-----
On Sep 27, 2010, at 9:10 AM, Holland, Ryan C. wrote:
I will second that. I, too, am seeing one client with this mac address,
reported the same way via Airwave as CIMSYS Inc.
==========
Ryan Holland
Network Engineer, Wireless
Office of the Chief Information Officer
The Ohio State University
614-292-9906 holland....@osu.edu<mailto:holland....@osu.edu>
On Sep 27, 2010, at 9:39 AM, Michael Dickson wrote:
Fascinating. We have one user on campus so far with this address:
00:11:22:33:44:55
Vendor (reported by Airwave): CIMSYS Inc
For Macbooks, the vendor is typically reported as Apple or Apple,Inc.
Mike
********************************************************
Michael Dickson 413.545.9639
Network Analyst Univ. of Massachusetts Amherst
********************************************************
On 9/26/2010 11:34 PM, Watters, John wrote:
I have 7 or 8 machines with this MAC address on our campus. Is it possible
that Apple did something not nice with the MAC addresses in the MacBooks? We
will try to track some of them down, but it won't be easy even using the
block-it-nd-they-will-come method.
-jcw
________________________________________
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[wireless-...@listserv.educause.edu] On Behalf Of Cortes, Diana
[dcor...@miami.edu]
Sent: Friday, September 24, 2010 4:17 PM
To:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
Thought I'd share some interesting news... The student was able to recover
the box where her Macbook Pro came in and indeed the Airport ID printed on
the box is 00:11:22:33:44:55
Diana Cortes, CISSP, CWNA
University of Miami
IT - Telecommunications
-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Williams
Sent: Monday, September 20, 2010 7:19 PM
To:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
Not sure if there is software out there for the mac to change this
automatically, if you just do an "ifconfig en1 ether xx:xx:xx:xx:xx:xx", the
mac address will change, but ONLY stay until you reboot the machine, then it
changes back. You have to put that command into a script under
/system/library/starupitems/ and then run
sudo chmod 700 script.sh
sudo defaults write com.apple.loginwindow LoginHook
/System/Library/StartupItems/script.sh
to get it to stick permanently. So it seems to me like people are probably
doing this intentionally.
Greg Williams
IT Security Principal
University of Colorado at Colorado Springs
greg.willi...@uccs.edu<mailto:greg.willi...@uccs.edu>
-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C
Sent: Monday, September 20, 2010 4:34 PM
To:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
it does show up occasionally, and as far as i can tell, this is because
users are following on-line tutorials for cracking WEP passwords (several of
them reference changing your mac interface to "00:11:22:33:44:55" manually
in the instructions to setup traffic sniffing. If your users are using
these on a production network you may want to follow up as they may have
inadvertently changed their mac address and have no realized they need to
change it back.
or you could be mischievous and block that mac address completely and let
them come forwards to have their machine fixed. I don't believe this is a
bug, but more user-inflicted.
-----
Justin Hao
CCNA
Network Engineer, ITS Networking
The University of Texas at Austin
j...@austin.utexas.edu<mailto:j...@austin.utexas.edu>
-----
On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote:
Has anyone encountered any Macbooks with the following MAC addresses:
00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on
our campus already with the exact same MAC address.
Thank you,
Diana Cortes, CISSP, CWNA
University of MIami
IT-Telecommunications
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
--
BEGIN-ANTISPAM-VOTING-LINKS
------------------------------------------------------
Teach CanIt if this mail (ID 1091703996) is spam:
Spam: https://antispam.osu.edu/b.php?i=1091703996&m=7217e7d87b6f&c=s
Not spam: https://antispam.osu.edu/b.php?i=1091703996&m=7217e7d87b6f&c=n
Forget vote: https://antispam.osu.edu/b.php?i=1091703996&m=7217e7d87b6f&c=f
------------------------------------------------------
END-ANTISPAM-VOTING-LINKS
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
________________________________
This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.
If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
