Security

We're seeing a small number of users enabling MAC randomization on our network. We have 4 25k VA CPPM servers. We recently added the 4th to accomodate usage.

 

I'm wondering if MAC randomization will start to use up more clearpass licenses?

Also, regardless of the above, will I need to clean up my endpoint database more often being that a user technically could have a different MAC every day if not more?

 

I haven't looked into it too much at this point. Thought I'd post here while I research.

No, MAC address randomization that is enabled by default on some devices is only used prior to association to the network (during probing). When the client associates and is subsequently authenticated by ClearPass, the real MAC address is presented to the controller and thus ClearPass.

The one exception to this is Windows 10 can be configured to use a different MAC address per SSID. This is disabled by default and most people don’t even know how to turn it on, so it shouldn’t be an issue for you.

That is partly the case but not all of it. There is a setting to pick a new random MAC every day and it is used to associated not just for beaconing. We have some evidence of this. Again, stil digging.

Hi I wonder if anyone can help, Ive hot this issue where a device is using a different mac upon association. I have a clear pass rule that only allows for the user to have a maximun of 20 devices and on teh sixth device he gets a role that gives him 512kbps.

The issue I am seeing is that because of the mac randomization upon association the users are hitting 20 devices within a couple days even though he has one or two physical devices. 

Is anyone else seein this as well as is there any fix yet?

This started about 6minths ago and as the OS of devices is progressing im seeing more and more of this. 

 

Our use case is 6 x 25k CPPM and over 75000 students so you can see how this would be affecting us.

 

Dean 

 

See atached File.

You might have a different issue.  On IOS, mac randomization should happen only when scanning for networks.  When the device connects, it always uses the same mac address.  On Windows 10, it will connect with a random mac address, but it should use the same mac address for the same network:  http://www.mathyvanhoef.com/2016/03/how-mac-address-randomization-works-on.html

EDIT:  What I wrote above was already detailed in a post before.

 

You should see if you can get your hands on the device or speak to the user to possibly understand what is happening.  That 20 number just means that the user has registered 20 devices with the same username.  It is possible that the user has registered multiple devices for other people or is using a hack to change their mac address.

 

 

Hi Colin thanks for the reply. 

The issue is its the same device its not a person registring his friends devices with his username. 

 

What is happening on a endpoint level is that every day the device connects it uses a different mac address.

 

Even if it was a guy connecting his friends devices with his username what is the chances all his friends have the exact same device and the same first two octets in teh mac address starting with "ce:b0", also why would all his friends devices be "unkown" and no fingerprint?

 

Seems strange to me and this is seen more and more everyday.

 

Any idea?

 

Thanks again for the help.

 

 

A device should only use excess licenses if it is actually used for authenitcarion. If that is the case, in my opinion you have every right to contact him and make him bring his device in. Hopefully you have a policy that prohibits that type of behavior that you can stand behind.

What type of authentication is being used on your network? If it is Captive Portal, he could also be spoofing his browser agent, if you are not using DHCP fingerprinting on clearpass.

Hi Colin. 

 

Thanks for the reply. 

 

Its using EAP-PEAP auth. Im not worried about the license utilization, my big concern is with these devices behaving like this we cannot implement device count limitations as one device shows up as many devices. 

 

We do have policies and can get the device but thats not the issue here, the issue is the device is behaving in a way that its using different mac addresses upon authentication which breaks many things in clear pass as you would know and its happing on more and more devices as time goes on.

 

Any suggestions?

 

If it "breaks many things" in your system, put a stop to it and disable the account. Students will play endless games of cat and mouse and unless you put a stop to it, you are going to consume endless time working on this. I am sure other people have much better (rational) advice and I hope they can chime in with something much better.

Thanks Colin. 

 

Its not that easy to just stop it when its not the students fault or the student trying to play games, its a technology issue on the student device that he is not aware of. 

 

Lets hope someone chimes in and sees if there is a possible fix for this on clear pass by adjusting a query or doing an extra endpoint tag or check etc.

 

Thanks for the help.

Is there an updated article or paper on this? I started looking for resources since the release of Android 10. It is my understanding that it is no longer true that the device will only beacon with a randomized MAC. Now, it will also associate with a randomized MAC by default.

There should be very little impact to the CPPM endpoint database with Android 10. There is a MAC per ESSID.

 

There is no impact to licensing.

Thanks, Tim. 

 

One issue I forsee is troubleshooting. You can't ask the end-user what their MAC address is to dial-in on a specific device.

 

I'm yet to see Android 10, so I don't want to get ahead of myself. For instance: Is there a menu that shows the unique MAC for a particular SSID on the device? 

The MAC for the SSID is displayed under the network details in the same place the persistent MAC was displayed before.

Hi guys,

 

I know this is a very old thread, but now with the new approach for MAC Randomization that Apple is doing with the new iOS14 version, I'm wondering how this would affect ClearPass. About licencing, about 802.1X autentication with no client certs, etc.

I'd like to hear any thoughts from you.

 

Best regards,

Clearpass licensing is based on AAA RADIUS Start-Stop. So when the session ends, the license is free. The MAC will not randomize in the middle of the session. 

 

The guest flows (MAC-Cache) will break depending on how the client device implements the randomization. The answer there is hopefully the device will support the captive portal API RFC, or we start moving away from CPs in favor of Enchanced Open networks. 

 

.1X networks should be using a strong identity for access. A certificate is preferred. 

Do you have documentation supporting the claim that licensing is based on RADIUS start/stop? Last I knew, which is when I posted this question, it was based on MAC address usage over a 7 days period. When we upgraded from 6.6 to 6.7 our licensing went way down. That was because they changed the equation from a 7 day average to something else (can't remember now). 

The licensing changed in 6.7 to Account Start-Stop. If you do not enable Accounting on the controller or VC, the license is consumed for 24 hours per device.

 

https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.7.1/Content/WhatsNew/NewFeatures_Licensing.htm

 

 

In the documentation you linked, it says license count is computed based on active sessions. RADIUS start/stop seems logical, even though it doesn't explicitly say that.

Active session is defined as the duration between RADIUS accounting Start and Stop. See application license consumption: https://www.arubanetworks.com/techdocs/ClearPass/6.8/PolicyManager/index.htm#CPPM_UserGuide/Admin/License-types.htm


ClearPass licensing computation is solely based on number of endpoints that successfully connect to the network over a period of time: https://www.arubanetworks.com/techdocs/ClearPass/6.8/PolicyManager/index.htm#CPPM_UserGuide/Admin/Applications_licenses_managing.htm%3FTocPath%3DAdministration%7CServer%2520Manager%7CLicense%2520Management%7C_____5

Hi guys,

Thanks to all on clarifying this. I know this thread was about the licensing and MAC randomization, but if I may, I'd like to ask about 802.1X auth.

What would happen if a MAC address changes the next day? Would be required to re-authenticate each time a MAC address changes on a 802.1X network?

 

Regards,

Yes. That is normal operation. In 802.1X, CPPM is relying on a secure identity provided by the device/user. 

While some say no impact because people should be using 802.11x for the devices that will use Mac Randomization, I remember that multiple ClearPass integrations (MDM the most relevant; but others as well) rely on Mac address to work.

All those will break with mac randomization.

As of the latest IOS beta, mac randomization is off by default.

If that setting stays OFF for the final version on release, that would be great news, otherwise I'll sense a disturbance in the Force.

It is on by default in Android 10. It randomizes per SSID. So guest workflows will be just fine. (MAC-Cache) However, it looks like they're going to randomize it per-association in upcoming releases.

FYI: You can assign a role to randomized MAC addresses if it would benefit you in reporting and policy enforcement using the below mapping rule.

(Connection:Client-Mac-Address-Colon  MATCHES_REGEX  ^.[26aeAE])

Hi,

 

If you want, there is a very nice article on Linkedin covering this..

In short, Apple was planning to rollout mac randomization per SSID every 24 hours! This would have caused a lot of issues for network operators, Wi-Fi analytics vendors and definitely impacted many services that rely on MAC address. As for 802.1x part, it will not impacted as the authentication is based on username/certificate and not on MAC-address. The total number of endpoints might change but the concurrent devices will still be the same.

 

Now, Apple changed its decision and it will remove the 24 hours update. So the mac address randomization will be per SSID only. This is very nicely described here

https://www.linkedin.com/pulse/apple-mac-randomisation-beta-4-24-hour-update-chris-spencer

 

If interested, you can also check this link which had links to the original changes planned by Apple. https://whyfiplusplus.com/2020/07/28/two-new-changes-that-will-reshape-guest-wi-fi/

Hey Ayman, great article, thanks for sharing. These are good news.

 

Regards,

FYI, Aruba MAC Randomization doc has been released- TD_Mac-Address-Randomization.pdf: https://www.arubanetworks.com/assets/tg/TD_Mac-Address-Randomization.pdf
Contains info on license implications (none) if worried about that.

------------------------------
------------------------------

Original Message:
Sent: Aug 11, 2020 12:22 PM
From: Javier Valdes
Subject: MAC Randomization - Will it use extra ClearPass licenses and/or cause excessive endpoint DB size?

Hey Ayman, great article, thanks for sharing. These are good news.

 

Regards,