How do people deal with Private/Random MAC?
With more and more devices/OS's using private/randomized MAC by default, it is getting harder and harder to keep devices grouped appropriately. I can go in and re-adjust settings for my immediate family's devices, but that isn't really an option for other devices (e.g. friends/extended family). Of course, I have the quarantine/default group relatively restricted, but I'd much rather have things protected/monitored at the appropriate level more consistently.
What are others doing, if anything?
Has anyone tried setting up APs have different usernames/authentication for different groups of users, and then assign VLAN (or something else) based on that? Is that even possible (I would think so, but haven't fully researched/tried it out)?
-
I've considered that, but it doesn't fit my current paradigm, where I have a small number of groups for different guests (e.g. adults vs. children) in addition to groups for each of my immediate family members. And I already basically get this, in that the "guests" are all just put straight into the quarantine group which I have set to have similar restrictions to my most restrictive group (e.g. for the youngest kid).
That worked ok for a while (basically giving me none of the granularity for guests, but that's not the end of the world), but now it is becoming even harder to keep family devices from using private MAC (e.g. I can't figure out how to get my wife's Pixel Watch to *not* use MAC randomization), and my kid's school chromebooks (which are managed by the school) seem to reset back to randomized MAC every time they get an update (or something).
-
Is it really such a big problem? I have had different access points in the office with different SSIDs. That was a real problem because every device that connected to the same network via different SSIDs had its own private MAC address for each access point (SSID).
But when we switched everything over to Unifi, there is only one SSID (per VLAN) and so it doesn't matter whether you use the private MAC address or not. Because the MAC address (even if it is randomised) is always the same. So I can work well with the devices in the firewall (unfortunately we don't use firewalla in the office) but also in network management. And the problem with the randomised address is no longer a problem.But maybe it really is an idea to think about VLAN if the network becomes too large and therefore unclear.
-
Certainly they do randomize again. It isn't clear to me if that is time based (either time since first connected or long enough time since last connected), update (e.g. to OS) based, or other. But they do randomize again with some frequency. I have noticed this with both Android and Apple based devices.
-
My experience is different. Once a device is set to "randomized", it retains this address. Otherwise, many devices in my office would no longer be able to access the WLAN. We have a fingbox (I hope I'm allowed to mention it) and the automatic blocking of new devices (actually new MAC addresses) is activated. So a device that constantly randomizes the MAC would have to be unlocked every time.
Please sign in to leave a comment.
Comments
7 comments