How do people deal with Private/Random MAC?

Comments

7 comments

  • Avatar
    Firewalla

    Do you have another WiFi? using that and network segmentation will likely be much simpler. This way, you only give out wifi passwords to your 'guest' wifi, and can apply any rules 

    0
    Comment actions Permalink
  • Avatar
    matt

    I've considered that, but it doesn't fit my current paradigm, where I have a small number of groups for different guests (e.g. adults vs. children) in addition to groups for each of my immediate family members.  And I already basically get this, in that the "guests" are all just put straight into the quarantine group which I have set to have similar restrictions to my most restrictive group (e.g. for the youngest kid).  

    That worked ok for a while (basically giving me none of the granularity for guests, but that's not the end of the world), but now it is becoming even harder to keep family devices from using private MAC (e.g. I can't figure out how to get my wife's Pixel Watch to *not* use MAC randomization), and my kid's school chromebooks (which are managed by the school) seem to reset back to randomized MAC every time they get an update (or something).  

    0
    Comment actions Permalink
  • Avatar
    mozarella

    Is it really such a big problem? I have had different access points in the office with different SSIDs. That was a real problem because every device that connected to the same network via different SSIDs had its own private MAC address for each access point (SSID).
    But when we switched everything over to Unifi, there is only one SSID (per VLAN) and so it doesn't matter whether you use the private MAC address or not. Because the MAC address (even if it is randomised) is always the same. So I can work well with the devices in the firewall (unfortunately we don't use firewalla in the office) but also in network management. And the problem with the randomised address is no longer a problem.

    But maybe it really is an idea to think about VLAN if the network becomes too large and therefore unclear.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Using the same SSID will definitely a better way to tame randomized MAC's ... But, I don't think there is a guarantee that apple will stick with the same randomized MAC on the same network, it may randomize again after a period of time. 

    0
    Comment actions Permalink
  • Avatar
    matt

    Certainly they do randomize again.  It isn't clear to me if that is time based (either time since first connected or long enough time since last connected), update (e.g. to OS) based, or other.  But they do randomize again with some frequency.  I have noticed this with both Android and Apple based devices.  

    0
    Comment actions Permalink
  • Avatar
    mozarella

    My experience is different. Once a device is set to "randomized", it retains this address. Otherwise, many devices in my office would no longer be able to access the WLAN. We have a fingbox (I hope I'm allowed to mention it) and the automatic blocking of new devices (actually new MAC addresses) is activated. So a device that constantly randomizes the MAC would have to be unlocked every time.

    0
    Comment actions Permalink
  • Avatar
    mozarella

    I only have the problem in one WLAN that my Apple Watch forgets not to use the randomized address. That's the only incident I've had with randomized addresses.
    This is in a WLAN from an AVM Fritzbox. Ok, WLAN is not this company's strong point.

    0
    Comment actions Permalink

Please sign in to leave a comment.