For local users with 802.1X you can disable username authentication and for roaming users with 802.1X, Hopefully CUI (Chargeable User Identity) will become more mainstream and you can block by CUI (Needs to be supported in RADIUS). MAC address was never designed to identify, but we all found it very useful for that purpose :)... time to change !
Philippe Hanset, CEO ANYROAM LLC www.anyroam.net www.eduroam.us +1 (865) 236-0770 On Aug 6, 2020, at 11:03 AM, Tim Cappalli <[email protected]> wrote: And you can continue to do that with the randomized MAC and tell them you took action against the device identifier that was presented at the time in question. Nothing changes in that regard 😊 Julian’s response is my understanding as well. From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> Date: Thursday, August 6, 2020 at 11:00 To: [email protected] <[email protected]> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... We could always take down a device by MAC address. It was weak, but it allowed us to say we did something. From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Tim Cappalli Sent: Thursday, August 06, 2020 10:55 AM To: [email protected] Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Not sure how this really changes anything if you never had a strong user identity in the first place. From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> Date: Thursday, August 6, 2020 at 10:51 To: [email protected] <[email protected]> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... How can we fulfill DMCA requirements when we can’t even identify a device, let alone the user? If you want to remain anonymous, use a different network. From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Tim Cappalli Sent: Thursday, August 06, 2020 10:45 AM To: [email protected] Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Yikes. I hope network operators are not asking users to disable user privacy protections. That is a slippery slope. tim From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> Date: Thursday, August 6, 2020 at 10:40 To: [email protected] <[email protected]> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Was sent this link yesterday, might help some. https://community.cisco.com/t5/security-documents/random-mac-address-how-to-deal-with-it-using-ise/ta-p/4049321 Blake Brown Infrastructure Manager - MHCC From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> on behalf of Norman Elton <[email protected]> Sent: Thursday, August 6, 2020 5:48 AM To: [email protected] <[email protected]> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... External Email >> I have heard that on the latest beta that came out Tuesday the randomization >> will only happen once per SSID and not change as well. Oh? We will definitely be testing that. Can you share your source? My phone is still on Beta 3, and I don't have an update available for Beta 4 yet. I suppose I have to wait for my ticket to ride. Thanks for the tip, Norman On Thu, Aug 6, 2020 at 6:55 AM Walter Reynolds <[email protected]> wrote: I have heard that on the latest beta that came out Tuesday the randomization will only happen once per SSID and not change as well. ------------------------ Walter Reynolds Network Architect Information and Technology Services University of Michigan (734) 615-9438 On Wed, Aug 5, 2020, 9:09 PM Norman Elton <[email protected]> wrote: >> Depending on your tolerance for the disruption you could implement a network >> access policy blocking access to the >> range of local MAC's and intercept with a captive portal with instructions >> on how to turn this off. However, I can't imagine >> this being sustainable. Newer Androids use the same MAC address range for their randomization algorithm. Unlike iOS; however, their MAC address is randomized once per SSID, and doesn't change over time. We already see a large number of private mac addresses on our campus, I anecdotally confirmed a handful of them are Android users, and confirmed the MAC remains consistent. Long story short, if you're looking to restrict randomized MAC addresses, or even report on their usage, you'll find more than just iOS users :-/ There is a fine line between "troubleshooting" and "tracking". Unfortunately, preventing malicious tracking is going to impact our helpful troubleshooting. As an EAP-TLS campus, we're going to attempt to de-dupe the randomized MAC addresses using the certificate serial number. This way, if someone calls on Monday to complain about a problem on Saturday, at least we have someplace to start. Norman On Mon, Aug 3, 2020 at 10:28 AM John Turner <[email protected]> wrote: Update on my testing. I created an 802.1X network and connected my ios14 phone to it - over the 10 days or so the phone has pretty much just sat - It's a test phone so I didn't interact with it at all The pattern is pretty consistent it appears that it's changing MAC every 2 days almost to the min. As you can see it's grabbing a different IP each time (not surprising) There is no indication in the logs that this is the same device - RADIUS looks unique as does DHCP. Tim and I talked last week about this - while the intent SHOULD have been to protect the association packets while allowing operators to correlate who the owner or what the device is, this is not happening. Depending on your tolerance for the disruption you could implement a network access policy blocking access to the range of local MAC's and intercept with a captive portal with instructions on how to turn this off. However, I can't imagine this being sustainable. Any thoughts on how this might wreak havoc on a UEM solution? On Thu, Jul 23, 2020 at 3:35 PM David Logan <[email protected]> wrote: Also, nothing to prevent Apple / GOOG from using frequent GPS location tied to a particular SSID for same inference On Thu, Jul 23, 2020 at 2:44 PM Tim Cappalli <[email protected]> wrote: Just a quick thought. Nothing to back this up outside of people’s observations. I’m wondering if there is some ML to detect BSS changes. If there’s only a few BSSIDs for that SSID over time, it could infer that it’s a home or “local” network. tim From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> Date: Thursday, July 23, 2020 at 14:18 To: [email protected] <[email protected]> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Interesting - no change on the MAC address but a new "privacy warning" that private addresses may not be' supported on this network. The link does not provide any insight on this topic. I am running a PSK network on an Aruba 325. I connected to my 802.1x network and I don't see that message and private addressing IS enabled. <image001.png> The other networks I have configured also haven't seen a MAC address changed. On Thu, Jul 23, 2020 at 8:49 AM Miller, Keith C <[email protected]> wrote: Thanks for providing some examples John. It looks like you may have 2 SSIDs, 1 per band. Did the MAC address also change for the “linksys55” SSID? Reading from the published Apple document that Hector shared: “To reduce this privacy risk, iOS 14, iPadOS 14, and watchOS 7 include a feature that periodically changes the MAC address your device uses with each Wi-Fi network. This randomized MAC address is your device's private Wi-Fi address for that network—until the next time it joins with a different address” I really wish they would provide more detail about what “periodically” means and if this occurs at some specific interval depending on activity as some have suggested. https://support.apple.com/en-us/HT211227 Regards, Keith From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> on behalf of John Turner <[email protected]> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> Date: Tuesday, July 21, 2020 at 6:23 PM To: "[email protected]" <[email protected]> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... I’m working on testing this now. So far it appears that the "Private Address" option is enabled by default for any of the "My Networks" and initially is set to the hardware MAC address. New connections receive a new private MAC. Toggling the WiFi does not change them. I will update tomorrow on if it changes. Here are 2 screenshots from my home network ( the F3:4D was configured prior to upgrade) On Tue, Jul 21, 2020 at 6:15 PM Norman Elton <[email protected]> wrote: This is all fascinating, I’m looking forward to getting my hands on a public beta. Those “in the know” ... does this impact 1x networks as well as open? It seems that if you’re connecting with credentials, there’s already a trust relationship in place. And is the feature enabled for networks that were configured before upgrading to iOS 14? Fun times, Norman Elton On Tue, Jul 21, 2020 at 2:55 PM Rios, Hector J <[email protected]> wrote: I just finished reading the “Apple Beta Software Program Agreement”. Interesting information: “Don’t blog, post screen shots, tweet, or publicly post information about the public beta software, and don’t discuss the public beta software with or demonstrate it to others who are not in the Apple Beta Software Program.” So, I need everyone to sign up to the beta software program so we can continue this conversation (J/K) Hector Rios, Wireless Network Architect The University of Texas at Austin From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Tim Cappalli Sent: Tuesday, July 21, 2020 1:06 PM To: [email protected] Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Yeah, good catch Chris! I’d be interested in seeing some field data as well. The only info I saw was that it changed every 24 hours, but it sounds like there’s a * which indicates inactivity / not associated. It makes much more sense that it wouldn’t change if the device maintains an active connection as there are really no privacy concerns until the device disconnects and moves. tim From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> Date: Tuesday, July 21, 2020 at 13:15 To: [email protected] <[email protected]> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Tim had mentioned the following: “On iOS 14, the MAC is set per ESSID and is changed once every 24 hours.” Chris then mentioned that he found one iOS 14 device that, as long as it remains connected, the MAC remains the same, even beyond 24hrs. Has anyone else done testing? Please share your results. Hector Rios, Wireless Network Architect The University of Texas at Austin From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Johnson, Christopher Sent: Monday, July 20, 2020 10:19 AM To: [email protected] Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Default behavior matters indeed. Got a preview of what to expect over the weekend. Found one individual that was in Aruba Airwave “12 Times” for their iPhone 14.0 over past couple of weeks and another “6 times”. It appears that as long as the device remains “connected” to the network beyond the 24 hours, the MAC Address will remain the same. Although if they’re fully de-authenticated or move say into an elevator or outside (or a class phone reboot occurs in the pocket) – then the MAC Address will update upon establishing a new connection – that is just the initial observation I saw. Christopher Johnson Wireless Network Engineer Office of Technology Solutions | Illinois State University (309) 438-8444 Stay connected with ISU IT news and tips with @ISU IT Help on Facebook and Twitter From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Enfield, Chuck Sent: Tuesday, July 14, 2020 12:36 PM To: [email protected] Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... [This message came from an external source. If suspicious, report to [email protected]] True, but default behavior matters. From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Rios, Hector J Sent: Tuesday, July 14, 2020 1:12 PM To: [email protected] Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Please note that MAC randomization is not just a feature of Android and iOS. It is supported across other operating systems. Hector Rios, Wireless Network Architect The University of Texas at Austin From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Jonathan Miller Sent: Tuesday, July 14, 2020 11:32 AM To: [email protected] Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... For those of us using ClearPass to authenticate users to eduroam, does this mean that every iOS device will get registered as a new endpoint every day? For others, does your NAC store a client's MAC persistently? I'm assuming that the answer to both is yes. How can we plan for the impact of that on our databases? Should we delete all iOS and Android devices after 48 hours? Am I missing something obvious? Jonathan Miller Senior Network Analyst Franklin and Marshall College On Fri, Jul 10, 2020 at 4:37 PM Enfield, Chuck <[email protected]> wrote: PS – My plan for supporting our guest network will be to tell any user who contacts us with an Apple device that the network is fine and they should contact Apple for device support. I can’t get away with that for our enterprise network, but Apple is going to own the guest problem. From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Enfield, Chuck Sent: Friday, July 10, 2020 4:34 PM To: [email protected] Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... My point wasn’t to debate Passpoint either. I’m wondering if Apple actually has a plan, and if so, if they’ve bothered to tell anybody. From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Tim Cappalli Sent: Friday, July 10, 2020 4:22 PM To: [email protected] Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Passpoint is not just about mobile network operators. Any identity provider can provision a Passpoint profile. That is the whole drive behind OpenRoaming. The industry goal is that every user has at least 2 Passpoint profiles on their devices: one tied to their enterprise/school identity and the other tied to a personal identity. The traditional enterprise/school onboarding process stays largely the same, except some additional Passpoint logic is added. Mobile network operators / cell providers are only one (optional) piece of the puzzle. Probably should start a separate thread for anything deeper on Passpoint beyond it being a solution for network access. Don’t want to take away from the OG conversation. tim From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> Date: Friday, July 10, 2020 at 16:17 To: [email protected] <[email protected]> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Understood, but few Wi-Fi operators actually support Passpoint on their networks. Since Apple is eliminating the alternatives, they either must be idiots (my bet) or have a proposal for what we should all being doing instead. I still get really confused looks when I try to discuss Passpoint with my contacts at the major cellular providers, so it can’t possibly be a realistic option for most of us. From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Tim Cappalli Sent: Friday, July 10, 2020 4:07 PM To: [email protected] Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Not sure I follow. Passpoint is an industry-wide solution for secure Wi-Fi roaming. Passpoint has been supported on iOS and macOS (along with Windows and Android) for a number of years. I definitely don’t follow this comment: “you can’t onboard your Apple to enable identity-based auth.” tim From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> Date: Friday, July 10, 2020 at 16:04 To: [email protected] <[email protected]> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... So you can’t use an Apple MAC address for guest auth, and you can’t onboard your Apple to enable identity-based auth. Apple must be thinking that they can drag the entire world, kicking and screaming, into federated authentication that Apple products ship knowing how to do (Passpoint, openroaming, etc.). Do they have a proposal for this that I missed? From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Rios, Hector J Sent: Friday, July 10, 2020 2:56 PM To: [email protected] Subject: [WIRELESS-LAN] MAC Randomization, a step further... Apple is moving forward with their privacy efforts. The next step is to randomize MAC addresses when connecting to an AP, not just when probing. This is coming soon. https://globalreachtech.com/blog-mac-randomisation-apple/ This is from Apple. Luckily, there is a way to disable private addresses. I just don’t know if it will be ON by default. https://support.apple.com/en-qa/HT211227 Happy Friday! Hector Rios, Wireless Network Architect The University of Texas at Austin ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community This message is from an external sender. Learn more about why this matters. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community This message is from an external sender. Learn more about why this matters. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community This message is from an external sender. Learn more about why this matters. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community -- John Turner - Head of Customer Success [email protected] (339) 225-0198 Join the Voyers Slack Community! <image002.jpg> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community -- John Turner - Head of Customer Success [email protected] (339) 225-0198 Join the Voyers Slack Community! <image002.jpg> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
