Wireless Access

Hi,

I have iPhone users in my wireless network running ArubaOS 8.6 where they cannot connect to the SSID when the "Private Address" option is enabled on their phone WiFi settings. When disabled they can join without any issues. Because of this users are complaining that they cannot connect to the network. What exactly does private address provide and how is Aruba mobility controller treating this?. Is there any setting that can be changed in the controller?

Thanks,

------------------------------
Ajin Skariah
------------------------------

Private Address sets a 'random' mac-address on the iPhone. So you would need some typ of mac-filtering on your controller or radius-server that prevents them from joining the network with private address turned on.

------------------------------
Christoffer Starck
------------------------------

Original Message:
Sent: May 30, 2021 01:03 PM
From: Ajin Skariah
Subject: iPhone Private Address and Mobility Controller

Hi,

I have iPhone users in my wireless network running ArubaOS 8.6 where they cannot connect to the SSID when the "Private Address" option is enabled on their phone WiFi settings. When disabled they can join without any issues. Because of this users are complaining that they cannot connect to the network. What exactly does private address provide and how is Aruba mobility controller treating this?. Is there any setting that can be changed in the controller?

Thanks,

------------------------------
Ajin Skariah
------------------------------

I haven't set any filtering now and the users cannot join the network with private address enabled. Where is this setting in the controller?

------------------------------
Ajin Skariah
------------------------------

Original Message:
Sent: May 30, 2021 02:14 PM
From: Christoffer Starck
Subject: iPhone Private Address and Mobility Controller

Private Address sets a 'random' mac-address on the iPhone. So you would need some typ of mac-filtering on your controller or radius-server that prevents them from joining the network with private address turned on.

------------------------------
Christoffer Starck

Original Message:
Sent: May 30, 2021 01:03 PM
From: Ajin Skariah
Subject: iPhone Private Address and Mobility Controller

Hi,

I have iPhone users in my wireless network running ArubaOS 8.6 where they cannot connect to the SSID when the "Private Address" option is enabled on their phone WiFi settings. When disabled they can join without any issues. Because of this users are complaining that they cannot connect to the network. What exactly does private address provide and how is Aruba mobility controller treating this?. Is there any setting that can be changed in the controller?

Thanks,

------------------------------
Ajin Skariah
------------------------------

What type of security do you have on the SSID that the clients are trying to connect to? WPA-Enterprise, PSK, Open ?

------------------------------
Christoffer Starck
------------------------------

Original Message:
Sent: May 30, 2021 02:22 PM
From: Ajin Skariah
Subject: iPhone Private Address and Mobility Controller

I haven't set any filtering now and the users cannot join the network with private address enabled. Where is this setting in the controller?

------------------------------
Ajin Skariah

Original Message:
Sent: May 30, 2021 02:14 PM
From: Christoffer Starck
Subject: iPhone Private Address and Mobility Controller

Private Address sets a 'random' mac-address on the iPhone. So you would need some typ of mac-filtering on your controller or radius-server that prevents them from joining the network with private address turned on.

------------------------------
Christoffer Starck

Original Message:
Sent: May 30, 2021 01:03 PM
From: Ajin Skariah
Subject: iPhone Private Address and Mobility Controller

Hi,

I have iPhone users in my wireless network running ArubaOS 8.6 where they cannot connect to the SSID when the "Private Address" option is enabled on their phone WiFi settings. When disabled they can join without any issues. Because of this users are complaining that they cannot connect to the network. What exactly does private address provide and how is Aruba mobility controller treating this?. Is there any setting that can be changed in the controller?

Thanks,

------------------------------
Ajin Skariah
------------------------------

WPA2 Personal

You should begin with checking out the AAA-profile on the virtual ap profile for that network. You will find the profiles under "Configuration -> System -> Profiles".

------------------------------
Christoffer Starck
------------------------------

Original Message:
Sent: May 30, 2021 02:38 PM
From: Ajin Skariah
Subject: iPhone Private Address and Mobility Controller

WPA2 Personal

By default, there should not be any limitations to support randomized MAC for a WPA2 Personal network, unless you configured something like MAC Filtering, MPSK, or external authentication. Randomized MAC addresses are not so much different from static MAC.

If you don't have such settings, it may be best to work with your Aruba partner or Aruba Support to get investigated what is going on.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: May 30, 2021 02:38 PM
From: Ajin Skariah
Subject: iPhone Private Address and Mobility Controller

WPA2 Personal

Original Message:
Sent: 5/31/2021 9:28:00 AM
From: Herman Robers
Subject: RE: iPhone Private Address and Mobility Controller

By default, there should not be any limitations to support randomized MAC for a WPA2 Personal network, unless you configured something like MAC Filtering, MPSK, or external authentication. Randomized MAC addresses are not so much different from static MAC.

If you don't have such settings, it may be best to work with your Aruba partner or Aruba Support to get investigated what is going on.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: May 30, 2021 02:38 PM
From: Ajin Skariah
Subject: iPhone Private Address and Mobility Controller

WPA2 Personal

Hi,

Running wpa3-enterprise here on an Aruba Instant ( 8.8) , my iphone/mac book air both connect using TLS ( iOS 14.6, macOS 11.4) works just fine


Original Message:
Sent: 6/1/2021 10:46:00 AM
From: demetriorlando
Subject: RE: iPhone Private Address and Mobility Controller

Curious whether WPA2 Enterprise (or WPA3 Enterprise) would by default have any prohibition against the private MAC address feature of these iPhones. (We get a fair number of users saying their iPhones don't automatically maintain a connection to our enterprise .1x SSID, but the Guest SSID seems to reconnect more easily.)

Original Message:
Sent: 5/31/2021 9:28:00 AM
From: Herman Robers
Subject: RE: iPhone Private Address and Mobility Controller

By default, there should not be any limitations to support randomized MAC for a WPA2 Personal network, unless you configured something like MAC Filtering, MPSK, or external authentication. Randomized MAC addresses are not so much different from static MAC.

If you don't have such settings, it may be best to work with your Aruba partner or Aruba Support to get investigated what is going on.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: May 30, 2021 02:38 PM
From: Ajin Skariah
Subject: iPhone Private Address and Mobility Controller

WPA2 Personal

Did you check if the mac addresses of the troubled users have their "random mac address" blacklisted on the controllers? When the iPhone mac randomization feature first came out (forget exactly what version) there were bugs causing the phones to send bad ARP replies that contained invalid mac info, causing controllers to blacklist that mac addresses (and hence cause the iPhones to not be able to connect to any APs). But if you toggled off the random mac (going back to the burnt-in 'real' mac), the phone would connect fine because that mac address wasn't blacklisted.

So spot check a few of the 'random' mac addresses in your blacklist database. If you find some, you will have to clear them, and also make sure those iPhone users update their iOS to the latest versions. If I remember correctly, iOS version 14.2 corrected the bad ARP reply issues (thus resolving the blacklisting issue).