Wireless Access

 View Only
Expand all | Collapse all

Apple private Wi-Fi address triggering arp spoofing

This thread has been viewed 52 times
  • 1.  Apple private Wi-Fi address triggering arp spoofing

    Posted Oct 01, 2020 10:23 PM

    Has anyone encountered increase in client device mac being blacklisted due to arp spoofing with the release of IOS 14?

     

    I am seeing this increase due to the controller firewall feature "prohibit arp spoofing" being turned on. Looks like this security feature does not work will with IOS 14. Any recommended solution or workaround?



  • 2.  RE: Apple private Wi-Fi address triggering arp spoofing

    Posted Oct 02, 2020 10:16 AM

    I've seen this on the latest IOS 14 devices....Wrecking havoc with our Clearpass and MAC-auth.  Apparently Apple in all it's wisdom turned on random MAC generation in certain iPhones,  Dunno why.  We've been telling the user to turn it off and then their REAL MAC appears and everything flows normally.  If you have the anti-spoofing enabled, I'm sure that doesn't make them happy either.

     



  • 3.  RE: Apple private Wi-Fi address triggering arp spoofing

    Posted Oct 02, 2020 10:52 AM

    I haven't seen any ARP Spoofing issues but like the previous poster mention, anything that is refencing a MAC is affected. InTune + CPPM Integrations for example, that being said the V5 extension should assist massively moving forwards.



  • 4.  RE: Apple private Wi-Fi address triggering arp spoofing

    Posted Oct 02, 2020 06:41 PM

    The new "private address" feature wreaked havoc on us once users started updating to iOS 14. We decided to tell them they had to turn it off (for many reasons). However, iOS 14 was/is still buggy, and we still had some clients being blacklisted for ARP Spoof even if they disabled private address. Updating to iOS 14.0.1 helped a lot with that. (you'll even see in the release notes that 14.0.1 address wifi issues, but they dont get very specific). Still in the middle of troubleshooting all scenarios and issues as they still creep up.

     

    For example - we have three main SSIDs on campus. If youre phone has profiles for each one saved, and depending if private address toggle is on or off, and if those profiles are set for auto-connect, and if/when you time clearing the blacklist entry in between the user toggling things on/off themselves... you can see it can be a nightmare.



  • 5.  RE: Apple private Wi-Fi address triggering arp spoofing

    Posted Nov 06, 2020 02:39 PM
    We are having this issue with the IOS 14 and 14.1 , its a school environment  , and we have temporarily decided to disable the arp spoofing

    ------------------------------
    Sam DS
    ------------------------------



  • 6.  RE: Apple private Wi-Fi address triggering arp spoofing

    Posted Nov 06, 2020 03:04 PM
    There's a bug in 14, 14.0.1, and even lingered in 14.1 code that caused ios devices to send bad ARP replies. (In the packet the sender mac down in the arp reply section was a different mac than the actual wifi mac in use). It is supposedly resolved in 14.2, and my initial testing shows this appears to be the case.

    Here you see the mismatch in mac address (this was happening on 14-14.1 code).

    Here running 14.2 code, the arp reply looks correct.



  • 7.  RE: Apple private Wi-Fi address triggering arp spoofing

    Posted Nov 06, 2020 03:13 PM
    Thank you ! 


    ------------------------------
    Sam DS
    ------------------------------



  • 8.  RE: Apple private Wi-Fi address triggering arp spoofing

    Posted Nov 06, 2020 03:15 PM
    Of course! :)

    I'd like to confirm on a few more devices, and test iPadOS as well. Once we feel good about testing, and campaign our users to upgrade to 14.2, we will eventually re-enable our arp-spoof-detection on the controllers.




  • 9.  RE: Apple private Wi-Fi address triggering arp spoofing

    Posted Nov 06, 2020 03:17 PM
    i guess i will go the same route :)

    ------------------------------
    Sam DS
    ------------------------------



  • 10.  RE: Apple private Wi-Fi address triggering arp spoofing

    Posted Nov 06, 2020 03:19 PM
    Edited by samd Nov 06, 2020 03:24 PM
    **

    ------------------------------
    Sam DS
    ------------------------------