Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass MAC randomisation - Guest MPSK

  • 1.  Clearpass MAC randomisation - Guest MPSK

    Posted Oct 21, 2020 03:23 PM

    Hi All,

     

    Looking to see if anyone knows of a validator in Guest to prevent users registering a randomised MAC address?  If not built in (which I can't see one - only IsValidMacAddress), can we build a validator ourselves or are they all only baked in?

     

    Obviously with MPSK and mac_create we're getting users to register their own devices, but I can see users registering devices with Random MAC addresses then having issues after they forget the network for the first time!

    I can also see this being even more of a problem when using Pre-populating MAC address workflows as it wont even be the correct randomised MAC (as connected to alternative onboarding SSID).

     

    We can highlight/disable it at the service level with regex (^.[26aeAE]), but allowing the user to register it and then getting issues thereafter isn't ideal.

     

    Any advice out there how clearpass is able to deal with this for us at the guest registration?  I'm not really bothered by randomised MAC addresses on any 802.1x network as it doesn't really matter, but on our MPSK its just annoying!

     

    Cheers all in advance!

    (CPPM v6.8.6)



  • 2.  RE: Clearpass MAC randomisation - Guest MPSK

    Posted Oct 23, 2020 06:26 PM

    MPSK is not designed for user-centric devices like tablets, phones and laptops, so there should be no issue.



  • 3.  RE: Clearpass MAC randomisation - Guest MPSK

    Posted 17 days ago
    Agree timms, although it doesn't stop users being users and still doing what they've been told not to do, hence why I was after a technical solution to stop them from registering in the first place.  (I say after seeing another iPhone registered to our MPSK registration, even though they have an 802.1x network to readily use!)

    FYI, there's been an Aruba document created about MAC Randomization (Randomisation): https://www.arubanetworks.com/assets/tg/TD_Mac-Address-Randomization.pdf

    ------------------------------
    ------------------------------



  • 4.  RE: Clearpass MAC randomisation - Guest MPSK

    Posted 17 days ago
    You can either layer in profiling rules and reject or captive portal them with a message or just deny access to internal services for devices that are registered via device registration.

    There is no way to stop them from registering upfront.

    ------------------------------
    Tim C
    ------------------------------