Maybe I'm missing something as well under the hood. However the behavior I describe has been our observation in our testing and troubleshooting. Turning off "private address" for devices on our network seems to mitigate the issue for us, and I have not seen the blacklist issue recur after the feature is disabled.
As for the comment about the end users privacy - the users are welcome to use the feature for other networks. Its either we (my campus) track and attribute their real mac, or their fake one. Well we've been seeing their real mac address already. And the argument about privacy/tracking someone doesn't apply in my opinion since I'm not tracking their mac addresses whereabouts off campus. (where if they generate a random mac for those networks, wouldn't matter anyway) We also collect statistics on our networks (user counts, high use rooms, high use buildings, indoor vs outdoor, etc). If every new apple device started identifying itself to our controllers as a "new device" now, our stats and reporting this year/semester would become highly skewed (without having to do a lot of extra work to "merge" what we believe were the same devices). We also did not want to simply disable ARP-spoof detection on our controllers. For the above reasons, we opted to have users disable the feature. At least for now. Perhaps we'll change our tactic once more research/testing is done and Aruba & Apple can report more specifically on what's going on under the hood. Happy first day of fall, Cody University of Colorado Colorado Springs -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Jonathan Waldrep Sent: Tuesday, September 22, 2020 7:24 AM To: [email protected] Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers On 2020-09-21 15:59, Cody Ensain wrote: > Which makes sense to me: pre-upgrade its the devices real mac > address/IP which is known by the controller... post-upgrade the > "private address" toggle is turned on by default, so IOS generates a > random mac address for any wireless network profile on the device. > Now, the phone tries sending traffic with new-mac/IP combo and of > course the controller now thinks its ARP spoofing. That doesn't make sense to me. The MAC is generated before the device associates. Once it has associated/auth'd, it will do DHCP and get a new address. From the controller's perspective, it just looks like a totally new device, not something spoofing. I could be missing something, though. -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
