We're seeing a small number of users enabling MAC randomization on our network. We have 4 25k VA CPPM servers. We recently added the 4th to accomodate usage.
I'm wondering if MAC randomization will start to use up more clearpass licenses?
Also, regardless of the above, will I need to clean up my endpoint database more often being that a user technically could have a different MAC every day if not more?
I haven't looked into it too much at this point. Thought I'd post here while I research.
That is partly the case but not all of it. There is a setting to pick a new random MAC every day and it is used to associated not just for beaconing. We have some evidence of this. Again, stil digging.
Hi I wonder if anyone can help, Ive hot this issue where a device is using a different mac upon association. I have a clear pass rule that only allows for the user to have a maximun of 20 devices and on teh sixth device he gets a role that gives him 512kbps.
The issue I am seeing is that because of the mac randomization upon association the users are hitting 20 devices within a couple days even though he has one or two physical devices.
Is anyone else seein this as well as is there any fix yet?
This started about 6minths ago and as the OS of devices is progressing im seeing more and more of this.
Our use case is 6 x 25k CPPM and over 75000 students so you can see how this would be affecting us.
See atached File.
You might have a different issue. On IOS, mac randomization should happen only when scanning for networks. When the device connects, it always uses the same mac address. On Windows 10, it will connect with a random mac address, but it should use the same mac address for the same network: http://www.mathyvanhoef.com/2016/03/how-mac-address-randomization-works-on.html
EDIT: What I wrote above was already detailed in a post before.
You should see if you can get your hands on the device or speak to the user to possibly understand what is happening. That 20 number just means that the user has registered 20 devices with the same username. It is possible that the user has registered multiple devices for other people or is using a hack to change their mac address.
Hi Colin thanks for the reply.
The issue is its the same device its not a person registring his friends devices with his username.
What is happening on a endpoint level is that every day the device connects it uses a different mac address.
Even if it was a guy connecting his friends devices with his username what is the chances all his friends have the exact same device and the same first two octets in teh mac address starting with "ce:b0", also why would all his friends devices be "unkown" and no fingerprint?
Seems strange to me and this is seen more and more everyday.
Thanks again for the help.
Thanks for the reply.
Its using EAP-PEAP auth. Im not worried about the license utilization, my big concern is with these devices behaving like this we cannot implement device count limitations as one device shows up as many devices.
We do have policies and can get the device but thats not the issue here, the issue is the device is behaving in a way that its using different mac addresses upon authentication which breaks many things in clear pass as you would know and its happing on more and more devices as time goes on.
Its not that easy to just stop it when its not the students fault or the student trying to play games, its a technology issue on the student device that he is not aware of.
Lets hope someone chimes in and sees if there is a possible fix for this on clear pass by adjusting a query or doing an extra endpoint tag or check etc.
Thanks for the help.
There should be very little impact to the CPPM endpoint database with Android 10. There is a MAC per ESSID.
There is no impact to licensing.
One issue I forsee is troubleshooting. You can't ask the end-user what their MAC address is to dial-in on a specific device.
I'm yet to see Android 10, so I don't want to get ahead of myself. For instance: Is there a menu that shows the unique MAC for a particular SSID on the device?
The MAC for the SSID is displayed under the network details in the same place the persistent MAC was displayed before.
I know this is a very old thread, but now with the new approach for MAC Randomization that Apple is doing with the new iOS14 version, I'm wondering how this would affect ClearPass. About licencing, about 802.1X autentication with no client certs, etc.
I'd like to hear any thoughts from you.
Clearpass licensing is based on AAA RADIUS Start-Stop. So when the session ends, the license is free. The MAC will not randomize in the middle of the session.
The guest flows (MAC-Cache) will break depending on how the client device implements the randomization. The answer there is hopefully the device will support the captive portal API RFC, or we start moving away from CPs in favor of Enchanced Open networks.
.1X networks should be using a strong identity for access. A certificate is preferred.
Do you have documentation supporting the claim that licensing is based on RADIUS start/stop? Last I knew, which is when I posted this question, it was based on MAC address usage over a 7 days period. When we upgraded from 6.6 to 6.7 our licensing went way down. That was because they changed the equation from a 7 day average to something else (can't remember now).
The licensing changed in 6.7 to Account Start-Stop. If you do not enable Accounting on the controller or VC, the license is consumed for 24 hours per device.
In the documentation you linked, it says license count is computed based on active sessions. RADIUS start/stop seems logical, even though it doesn't explicitly say that.
Active session is defined as the duration between RADIUS accounting Start and Stop. See application license consumption: https://www.arubanetworks.com/techdocs/ClearPass/6.8/PolicyManager/index.htm#CPPM_UserGuide/Admin/License-types.htmClearPass licensing computation is solely based on number of endpoints that successfully connect to the network over a period of time: https://www.arubanetworks.com/techdocs/ClearPass/6.8/PolicyManager/index.htm#CPPM_UserGuide/Admin/Applications_licenses_managing.htm%3FTocPath%3DAdministration%7CServer%2520Manager%7CLicense%2520Management%7C_____5
Thanks to all on clarifying this. I know this thread was about the licensing and MAC randomization, but if I may, I'd like to ask about 802.1X auth.
What would happen if a MAC address changes the next day? Would be required to re-authenticate each time a MAC address changes on a 802.1X network?
Yes. That is normal operation. In 802.1X, CPPM is relying on a secure identity provided by the device/user.
While some say no impact because people should be using 802.11x for the devices that will use Mac Randomization, I remember that multiple ClearPass integrations (MDM the most relevant; but others as well) rely on Mac address to work.
All those will break with mac randomization.
As of the latest IOS beta, mac randomization is off by default.
If that setting stays OFF for the final version on release, that would be great news, otherwise I'll sense a disturbance in the Force.
It is on by default in Android 10. It randomizes per SSID. So guest workflows will be just fine. (MAC-Cache) However, it looks like they're going to randomize it per-association in upcoming releases.FYI: You can assign a role to randomized MAC addresses if it would benefit you in reporting and policy enforcement using the below mapping rule.
(Connection:Client-Mac-Address-Colon MATCHES_REGEX ^.[26aeAE])
If you want, there is a very nice article on Linkedin covering this..
In short, Apple was planning to rollout mac randomization per SSID every 24 hours! This would have caused a lot of issues for network operators, Wi-Fi analytics vendors and definitely impacted many services that rely on MAC address. As for 802.1x part, it will not impacted as the authentication is based on username/certificate and not on MAC-address. The total number of endpoints might change but the concurrent devices will still be the same.
Now, Apple changed its decision and it will remove the 24 hours update. So the mac address randomization will be per SSID only. This is very nicely described here
If interested, you can also check this link which had links to the original changes planned by Apple. https://whyfiplusplus.com/2020/07/28/two-new-changes-that-will-reshape-guest-wi-fi/
Hey Ayman, great article, thanks for sharing. These are good news.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.