Wireless Access

 View Only
last person joined: 13 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

iOS 14.1 private address / mac spoofing

This thread has been viewed 30 times

  • 1.  iOS 14.1 private address / mac spoofing

    Posted Oct 22, 2020 09:35 AM

    With iOS 14.1, 'private address' is enabled for all SSIDs by default, creating spoofed mac addresses.

     

    As we leverage MAC authentication, as well as poll our MDM for device attributes, which are stored in the clearpass database via MAC address, users are hving difficulty connecting.

     

    MDMs dont have the ability to disable the private address setting.

     

    This combination is putting us in a bit of a pickle.

    How is everyone handling this change? does clearpass have a solution for it?

     

     



  • 2.  RE: iOS 14.1 private address / mac spoofing

    Posted Oct 22, 2020 11:01 AM

    We are trying a custom XML payload to push to the iphones to disable the private address setting. 

    A new key is usable, that should disable it on a specified SSID.

    <key>DisableAssociationMACRandomization</key>

     

     



  • 3.  RE: iOS 14.1 private address / mac spoofing

    Posted Oct 23, 2020 04:19 AM

    Our MDM system will receive and update that fix this. Then we can controll this setting.

     

    The best solution would be to use certificates for authentication instead of MAC.



  • 4.  RE: iOS 14.1 private address / mac spoofing

    MVP EXPERT
    Posted Oct 23, 2020 05:06 AM

    I did some testing with mac randomization, and my conclusion is thats not so hard as it likes.

     

    • When a apple device is updated to iOS14, the allready exsist wlan profile keeps the static mac-address.
    • When updated to iOS14, and remove your wlan profile and add it again, i will create a random mac-address for that wlan profile.
    • When remove a wlan profile and add the same SSID again, it will get the same random mac-address for that wlan profile.
    • Each SSID have is one wlan profile and random mac-address
    • A random mac-address is not changed every 24 hours as apple told in his documentation.

    So the opportunity that a client device get a new mac-address is only once what happend when he remove his wlan profile that had a static ip from before upgrading.

     

    Feel free to disbale mac-address randomization of course ;). And better use 802.1x if you can.

     



  • 5.  RE: iOS 14.1 private address / mac spoofing

    Posted Oct 23, 2020 07:40 AM

    Airwatch has announced that there is a patch tonight that will be adding in the option to disable the random MAC per SSID.

     

    The hard part of Random MAC is that we have custom attributes set in airwatch that we were leveraging in clearpass. Because these attributes were bound to the MAC address on airwatch, and not the random MAC from the iphone, we weren't able to utilize them.

     

    out of 20 test users we checked, every user that updated to 14.1 had the Private Address setting automatically enabled on every SSID.

     

    We are using 802.1x with TLS, and leveraging additional attributes from our MDM.

     

     



  • 6.  RE: iOS 14.1 private address / mac spoofing

    Posted Dec 04, 2020 06:37 AM
    When using TLS and MDM it's not so hard to get around this. The original mac-address is a part of the certificate so I use that when doing mdm lookups instead of the connection:username. Try it out yourself ;)

    ------------------------------
    John Solberg
    ------------------------------

    Original Message