Security

Hi all

I am seeing this particular behavior. A device was denied network access because it wasn't profiled correctly. When I checked the endpoint attributes, it has the fingerprints of an Apple iPhone  but no Host MAC Vendor details. I did a check of the device MAC and it doesn't appear to belong to Apple. 

I have attached a comparison of a device profiled correctly as an Apple iPhone. It's DHCP Option 55 and Options matches exactly the same as the one that isn't profiled correctly. 

Is this something to do with Apple MAC randomization feature? If yes, is there anything that can be done on CPPM or is it a matter of asking the user to disable that feature?

Thanks.

------------------------------
Simon Lim
------------------------------

Looks like your device is doing MAC Address Randomization, which results in the MAC address used not being assigned to Apple. That feature is by default enabled in IOS and iPadOS 14, Android 10. This in fact shows the power of profiling, that it even detects the device without a registered MAC Address.

Check this Technical Paper on MAC Address Randomization that was recently posted.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------

Original Message:
Sent: Nov 12, 2020 10:50 PM
From: Simon Lim
Subject: Device with Apple fingerprints but no host mac vendor info

Hi all

I am seeing this particular behavior. A device was denied network access because it wasn't profiled correctly. When I checked the endpoint attributes, it has the fingerprints of an Apple iPhone  but no Host MAC Vendor details. I did a check of the device MAC and it doesn't appear to belong to Apple. 

I have attached a comparison of a device profiled correctly as an Apple iPhone. It's DHCP Option 55 and Options matches exactly the same as the one that isn't profiled correctly. 

Is this something to do with Apple MAC randomization feature? If yes, is there anything that can be done on CPPM or is it a matter of asking the user to disable that feature?

Thanks.

------------------------------
Simon Lim
------------------------------

Hi Herman

Thanks for the reply. I have checked a few of those devices and the 2nd character of their MAC addresses is one of 2, 6,  A or E. As CPPM is unable to profile them correctly without the MAC host vendor being correct, I suppose I have to create separate condition to assign role based on fingerprints? Or are there other methods? The customer is using AP-515 with VC. 

Thanks.

------------------------------
Simon Lim
------------------------------

Original Message:
Sent: Nov 13, 2020 10:03 AM
From: Herman Robers
Subject: Device with Apple fingerprints but no host mac vendor info

Looks like your device is doing MAC Address Randomization, which results in the MAC address used not being assigned to Apple. That feature is by default enabled in IOS and iPadOS 14, Android 10. This in fact shows the power of profiling, that it even detects the device without a registered MAC Address.

Check this Technical Paper on MAC Address Randomization that was recently posted.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.

Original Message:
Sent: Nov 12, 2020 10:50 PM
From: Simon Lim
Subject: Device with Apple fingerprints but no host mac vendor info

Hi all

I am seeing this particular behavior. A device was denied network access because it wasn't profiled correctly. When I checked the endpoint attributes, it has the fingerprints of an Apple iPhone  but no Host MAC Vendor details. I did a check of the device MAC and it doesn't appear to belong to Apple. 

I have attached a comparison of a device profiled correctly as an Apple iPhone. It's DHCP Option 55 and Options matches exactly the same as the one that isn't profiled correctly. 

Is this something to do with Apple MAC randomization feature? If yes, is there anything that can be done on CPPM or is it a matter of asking the user to disable that feature?

Thanks.

------------------------------
Simon Lim
------------------------------

Assigning the roles based on fingerprints is in most cases recommended over MAC prefix or vendor name, with MAC randomization even more as the MAC can no longer be used for profiling. In ClearPass the MAC in most cases is not used in profiling. In recent versions, some fingerprints have been added that do check the MAC range, like for Amazon Kindle (eBook) and Amazon Echo (Voice Assistant) the fingerprint is exactly the same. With a randomized MAC for those devices, there is just no way to know which of the two it is, and the device will be classified as one of those.

ClearPass Device Insight can add traffic information on top of the existing profiling methods like DHCP, SNMP, etc, so then you can more reliably profile devices relying even less on the MAC address.

Here is a video on how to configure ClearPass role using the ClearPass Profiling data. It is for wired, but it is applicable similar to wireless.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------

Original Message:
Sent: Nov 15, 2020 06:28 PM
From: Simon Lim
Subject: Device with Apple fingerprints but no host mac vendor info

Hi Herman

Thanks for the reply. I have checked a few of those devices and the 2nd character of their MAC addresses is one of 2, 6,  A or E. As CPPM is unable to profile them correctly without the MAC host vendor being correct, I suppose I have to create separate condition to assign role based on fingerprints? Or are there other methods? The customer is using AP-515 with VC. 

Thanks.

------------------------------
Simon Lim

Original Message:
Sent: Nov 13, 2020 10:03 AM
From: Herman Robers
Subject: Device with Apple fingerprints but no host mac vendor info

Looks like your device is doing MAC Address Randomization, which results in the MAC address used not being assigned to Apple. That feature is by default enabled in IOS and iPadOS 14, Android 10. This in fact shows the power of profiling, that it even detects the device without a registered MAC Address.

Check this Technical Paper on MAC Address Randomization that was recently posted.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.

Original Message:
Sent: Nov 12, 2020 10:50 PM
From: Simon Lim
Subject: Device with Apple fingerprints but no host mac vendor info

Hi all

I am seeing this particular behavior. A device was denied network access because it wasn't profiled correctly. When I checked the endpoint attributes, it has the fingerprints of an Apple iPhone  but no Host MAC Vendor details. I did a check of the device MAC and it doesn't appear to belong to Apple. 

I have attached a comparison of a device profiled correctly as an Apple iPhone. It's DHCP Option 55 and Options matches exactly the same as the one that isn't profiled correctly. 

Is this something to do with Apple MAC randomization feature? If yes, is there anything that can be done on CPPM or is it a matter of asking the user to disable that feature?

Thanks.

------------------------------
Simon Lim
------------------------------

Thanks for the advise, Herman.

------------------------------
Simon Lim
------------------------------

Original Message:
Sent: Nov 16, 2020 02:55 AM
From: Herman Robers
Subject: Device with Apple fingerprints but no host mac vendor info

Assigning the roles based on fingerprints is in most cases recommended over MAC prefix or vendor name, with MAC randomization even more as the MAC can no longer be used for profiling. In ClearPass the MAC in most cases is not used in profiling. In recent versions, some fingerprints have been added that do check the MAC range, like for Amazon Kindle (eBook) and Amazon Echo (Voice Assistant) the fingerprint is exactly the same. With a randomized MAC for those devices, there is just no way to know which of the two it is, and the device will be classified as one of those.

ClearPass Device Insight can add traffic information on top of the existing profiling methods like DHCP, SNMP, etc, so then you can more reliably profile devices relying even less on the MAC address.

Here is a video on how to configure ClearPass role using the ClearPass Profiling data. It is for wired, but it is applicable similar to wireless.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.

Original Message:
Sent: Nov 15, 2020 06:28 PM
From: Simon Lim
Subject: Device with Apple fingerprints but no host mac vendor info

Hi Herman

Thanks for the reply. I have checked a few of those devices and the 2nd character of their MAC addresses is one of 2, 6,  A or E. As CPPM is unable to profile them correctly without the MAC host vendor being correct, I suppose I have to create separate condition to assign role based on fingerprints? Or are there other methods? The customer is using AP-515 with VC. 

Thanks.

------------------------------
Simon Lim

Original Message:
Sent: Nov 13, 2020 10:03 AM
From: Herman Robers
Subject: Device with Apple fingerprints but no host mac vendor info

Looks like your device is doing MAC Address Randomization, which results in the MAC address used not being assigned to Apple. That feature is by default enabled in IOS and iPadOS 14, Android 10. This in fact shows the power of profiling, that it even detects the device without a registered MAC Address.

Check this Technical Paper on MAC Address Randomization that was recently posted.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.

Original Message:
Sent: Nov 12, 2020 10:50 PM
From: Simon Lim
Subject: Device with Apple fingerprints but no host mac vendor info

Hi all

I am seeing this particular behavior. A device was denied network access because it wasn't profiled correctly. When I checked the endpoint attributes, it has the fingerprints of an Apple iPhone  but no Host MAC Vendor details. I did a check of the device MAC and it doesn't appear to belong to Apple. 

I have attached a comparison of a device profiled correctly as an Apple iPhone. It's DHCP Option 55 and Options matches exactly the same as the one that isn't profiled correctly. 

Is this something to do with Apple MAC randomization feature? If yes, is there anything that can be done on CPPM or is it a matter of asking the user to disable that feature?

Thanks.

------------------------------
Simon Lim
------------------------------