Security

Hi,

recently we installed new Wireless Controller Aruba 7210.

in the previous setup we had option on old WLC MSM760 to enable free access option for 1 hour. the authentication is done by the MAC address of the device connecting and once the time expires on the controller the device will be disconnected.

will getting Clearpass to enable this option again will also work in the same way? which is mac address based countdown per mac address?

I'm asking this question because I wanted to know if there is any solution done on the "randomize mac address" option on smartphones side to stop user from getting extra connection time....

thanks

Nothing to stop MAC randomizations unfortunately unless you have an MDM.  You could create a splash page portal flow where if the client MAC address matches the random MAC OUIs, you can display a splash page for those clients telling them to disable.  All other client MAC addresses would be granted accept with a session-timeout of one hour and then some other endpoint database attribute to identify that they had already connected for an hour.  

Why even limit it at all to 1 hour though?  What is the use-case?  Why have this negative user experience at all?
Original Message:
Sent: Aug 03, 2022 07:06 AM
From: Samir Rafid
Subject: ClearPass free hour access to Wireless

Hi,

recently we installed new Wireless Controller Aruba 7210.

in the previous setup we had option on old WLC MSM760 to enable free access option for 1 hour. the authentication is done by the MAC address of the device connecting and once the time expires on the controller the device will be disconnected.

will getting Clearpass to enable this option again will also work in the same way? which is mac address based countdown per mac address?

I'm asking this question because I wanted to know if there is any solution done on the "randomize mac address" option on smartphones side to stop user from getting extra connection time....

thanks

we use the 1 hour because it is a hospital network and we have patients coming for outpatient so we have the free hour, the problem is employees are not allowed to connect but they use the free hour and keep changing mac addresses during working hours and I get the dhcp pool which is 1022 usable ip exhausted all the time.
Original Message:
Sent: Aug 03, 2022 07:38 AM
From: Unknown User
Subject: ClearPass free hour access to Wireless

Nothing to stop MAC randomizations unfortunately unless you have an MDM.  You could create a splash page portal flow where if the client MAC address matches the random MAC OUIs, you can display a splash page for those clients telling them to disable.  All other client MAC addresses would be granted accept with a session-timeout of one hour and then some other endpoint database attribute to identify that they had already connected for an hour.  

Why even limit it at all to 1 hour though?  What is the use-case?  Why have this negative user experience at all?
Original Message:
Sent: Aug 03, 2022 07:06 AM
From: Samir Rafid
Subject: ClearPass free hour access to Wireless

Hi,

recently we installed new Wireless Controller Aruba 7210.

in the previous setup we had option on old WLC MSM760 to enable free access option for 1 hour. the authentication is done by the MAC address of the device connecting and once the time expires on the controller the device will be disconnected.

will getting Clearpass to enable this option again will also work in the same way? which is mac address based countdown per mac address?

I'm asking this question because I wanted to know if there is any solution done on the "randomize mac address" option on smartphones side to stop user from getting extra connection time....

thanks

That makes sense.  I see a couple of options here:

• Block all random MAC OUIs from joining the SSID, or redirect those MAC OUIs to a captive portal informing them they must disable MAC randomization
• Integrate ClearPass with an MDM and force all employees to register with the MDM.  ClearPass can deny any MDM registered device from joining the guest network and also force MAC randomization off.
• Make your guest network subnet larger to encompass employee devices.

Original Message:
Sent: Aug 03, 2022 07:46 AM
From: Samir Rafid
Subject: ClearPass free hour access to Wireless

we use the 1 hour because it is a hospital network and we have patients coming for outpatient so we have the free hour, the problem is employees are not allowed to connect but they use the free hour and keep changing mac addresses during working hours and I get the dhcp pool which is 1022 usable ip exhausted all the time.
Original Message:
Sent: Aug 03, 2022 07:38 AM
From: Unknown User
Subject: ClearPass free hour access to Wireless

Nothing to stop MAC randomizations unfortunately unless you have an MDM.  You could create a splash page portal flow where if the client MAC address matches the random MAC OUIs, you can display a splash page for those clients telling them to disable.  All other client MAC addresses would be granted accept with a session-timeout of one hour and then some other endpoint database attribute to identify that they had already connected for an hour.  

Why even limit it at all to 1 hour though?  What is the use-case?  Why have this negative user experience at all?
Original Message:
Sent: Aug 03, 2022 07:06 AM
From: Samir Rafid
Subject: ClearPass free hour access to Wireless

Hi,

recently we installed new Wireless Controller Aruba 7210.

in the previous setup we had option on old WLC MSM760 to enable free access option for 1 hour. the authentication is done by the MAC address of the device connecting and once the time expires on the controller the device will be disconnected.

will getting Clearpass to enable this option again will also work in the same way? which is mac address based countdown per mac address?

I'm asking this question because I wanted to know if there is any solution done on the "randomize mac address" option on smartphones side to stop user from getting extra connection time....

thanks

I'm curious about your response in blocking all random MAC OUI's.
Is there a paper/process from Aruba on how to implement this?

Original Message:
Sent: Aug 03, 2022 08:05 AM
From: Unknown User
Subject: ClearPass free hour access to Wireless

That makes sense.  I see a couple of options here:

• Block all random MAC OUIs from joining the SSID, or redirect those MAC OUIs to a captive portal informing them they must disable MAC randomization
• Integrate ClearPass with an MDM and force all employees to register with the MDM.  ClearPass can deny any MDM registered device from joining the guest network and also force MAC randomization off.
• Make your guest network subnet larger to encompass employee devices.

Original Message:
Sent: Aug 03, 2022 07:46 AM
From: Samir Rafid
Subject: ClearPass free hour access to Wireless

we use the 1 hour because it is a hospital network and we have patients coming for outpatient so we have the free hour, the problem is employees are not allowed to connect but they use the free hour and keep changing mac addresses during working hours and I get the dhcp pool which is 1022 usable ip exhausted all the time.
Original Message:
Sent: Aug 03, 2022 07:38 AM
From: Unknown User
Subject: ClearPass free hour access to Wireless

Nothing to stop MAC randomizations unfortunately unless you have an MDM.  You could create a splash page portal flow where if the client MAC address matches the random MAC OUIs, you can display a splash page for those clients telling them to disable.  All other client MAC addresses would be granted accept with a session-timeout of one hour and then some other endpoint database attribute to identify that they had already connected for an hour.  

Why even limit it at all to 1 hour though?  What is the use-case?  Why have this negative user experience at all?
Original Message:
Sent: Aug 03, 2022 07:06 AM
From: Samir Rafid
Subject: ClearPass free hour access to Wireless

Hi,

recently we installed new Wireless Controller Aruba 7210.

in the previous setup we had option on old WLC MSM760 to enable free access option for 1 hour. the authentication is done by the MAC address of the device connecting and once the time expires on the controller the device will be disconnected.

will getting Clearpass to enable this option again will also work in the same way? which is mac address based countdown per mac address?

I'm asking this question because I wanted to know if there is any solution done on the "randomize mac address" option on smartphones side to stop user from getting extra connection time....

thanks

Essentially there a couple of digits within a MAC address that identify it as being randomized.  If any MAC address meets this condition, you can take enforcement profile you wish, deny access, captive portal, etc.

https://www.arubanetworks.com/assets/tg/TD_Mac-Address-Randomization.pdf
Original Message:
Sent: Aug 04, 2022 04:48 PM
From: Shieva Eccles
Subject: ClearPass free hour access to Wireless

I'm curious about your response in blocking all random MAC OUI's.
Is there a paper/process from Aruba on how to implement this?

Original Message:
Sent: Aug 03, 2022 08:05 AM
From: Unknown User
Subject: ClearPass free hour access to Wireless

That makes sense.  I see a couple of options here:

• Block all random MAC OUIs from joining the SSID, or redirect those MAC OUIs to a captive portal informing them they must disable MAC randomization
• Integrate ClearPass with an MDM and force all employees to register with the MDM.  ClearPass can deny any MDM registered device from joining the guest network and also force MAC randomization off.
• Make your guest network subnet larger to encompass employee devices.

Original Message:
Sent: Aug 03, 2022 07:46 AM
From: Samir Rafid
Subject: ClearPass free hour access to Wireless

we use the 1 hour because it is a hospital network and we have patients coming for outpatient so we have the free hour, the problem is employees are not allowed to connect but they use the free hour and keep changing mac addresses during working hours and I get the dhcp pool which is 1022 usable ip exhausted all the time.
Original Message:
Sent: Aug 03, 2022 07:38 AM
From: Unknown User
Subject: ClearPass free hour access to Wireless

Nothing to stop MAC randomizations unfortunately unless you have an MDM.  You could create a splash page portal flow where if the client MAC address matches the random MAC OUIs, you can display a splash page for those clients telling them to disable.  All other client MAC addresses would be granted accept with a session-timeout of one hour and then some other endpoint database attribute to identify that they had already connected for an hour.  

Why even limit it at all to 1 hour though?  What is the use-case?  Why have this negative user experience at all?
Original Message:
Sent: Aug 03, 2022 07:06 AM
From: Samir Rafid
Subject: ClearPass free hour access to Wireless

Hi,

recently we installed new Wireless Controller Aruba 7210.

in the previous setup we had option on old WLC MSM760 to enable free access option for 1 hour. the authentication is done by the MAC address of the device connecting and once the time expires on the controller the device will be disconnected.

will getting Clearpass to enable this option again will also work in the same way? which is mac address based countdown per mac address?

I'm asking this question because I wanted to know if there is any solution done on the "randomize mac address" option on smartphones side to stop user from getting extra connection time....

thanks

The technical details:

The second character in a MAC address, if it is a 2, 6, A, or E is what identifies it as a randomized MAC address.

• x2:xx:xx:xx:xx:xx
• x6:xx:xx:xx:xx:xx
• xA:xx:xx:xx:xx:xx
• xE:xx:xx:xx:xx:xx

You indicate there is a possibility of using a rule in ClearPass to identify these addresses and send them to another splash page.

I'd like to see an example of the ClearPass service that performs this check.

This issue is starting to occur more frequently, and I'm seeing the clients increase the DHCP scope...
Original Message:
Sent: Aug 04, 2022 05:43 PM
From: Unknown User
Subject: ClearPass free hour access to Wireless

Essentially there a couple of digits within a MAC address that identify it as being randomized.  If any MAC address meets this condition, you can take enforcement profile you wish, deny access, captive portal, etc.

https://www.arubanetworks.com/assets/tg/TD_Mac-Address-Randomization.pdf
Original Message:
Sent: Aug 04, 2022 04:48 PM
From: Shieva Eccles
Subject: ClearPass free hour access to Wireless

I'm curious about your response in blocking all random MAC OUI's.
Is there a paper/process from Aruba on how to implement this?

Original Message:
Sent: Aug 03, 2022 08:05 AM
From: Unknown User
Subject: ClearPass free hour access to Wireless

That makes sense.  I see a couple of options here:

• Block all random MAC OUIs from joining the SSID, or redirect those MAC OUIs to a captive portal informing them they must disable MAC randomization
• Integrate ClearPass with an MDM and force all employees to register with the MDM.  ClearPass can deny any MDM registered device from joining the guest network and also force MAC randomization off.
• Make your guest network subnet larger to encompass employee devices.

Original Message:
Sent: Aug 03, 2022 07:46 AM
From: Samir Rafid
Subject: ClearPass free hour access to Wireless

we use the 1 hour because it is a hospital network and we have patients coming for outpatient so we have the free hour, the problem is employees are not allowed to connect but they use the free hour and keep changing mac addresses during working hours and I get the dhcp pool which is 1022 usable ip exhausted all the time.
Original Message:
Sent: Aug 03, 2022 07:38 AM
From: Unknown User
Subject: ClearPass free hour access to Wireless

Nothing to stop MAC randomizations unfortunately unless you have an MDM.  You could create a splash page portal flow where if the client MAC address matches the random MAC OUIs, you can display a splash page for those clients telling them to disable.  All other client MAC addresses would be granted accept with a session-timeout of one hour and then some other endpoint database attribute to identify that they had already connected for an hour.  

Why even limit it at all to 1 hour though?  What is the use-case?  Why have this negative user experience at all?
Original Message:
Sent: Aug 03, 2022 07:06 AM
From: Samir Rafid
Subject: ClearPass free hour access to Wireless

Hi,

recently we installed new Wireless Controller Aruba 7210.

in the previous setup we had option on old WLC MSM760 to enable free access option for 1 hour. the authentication is done by the MAC address of the device connecting and once the time expires on the controller the device will be disconnected.

will getting Clearpass to enable this option again will also work in the same way? which is mac address based countdown per mac address?

I'm asking this question because I wanted to know if there is any solution done on the "randomize mac address" option on smartphones side to stop user from getting extra connection time....

thanks

Original Message:
Sent: 8/4/2022 7:12:00 PM
From: Shieva
Subject: RE: ClearPass free hour access to Wireless

The technical details:

The second character in a MAC address, if it is a 2, 6, A, or E is what identifies it as a randomized MAC address.

• x2:xx:xx:xx:xx:xx
• x6:xx:xx:xx:xx:xx
• xA:xx:xx:xx:xx:xx
• xE:xx:xx:xx:xx:xx

You indicate there is a possibility of using a rule in ClearPass to identify these addresses and send them to another splash page.

I'd like to see an example of the ClearPass service that performs this check.

This issue is starting to occur more frequently, and I'm seeing the clients increase the DHCP scope...
Original Message:
Sent: Aug 04, 2022 05:43 PM
From: Unknown User
Subject: ClearPass free hour access to Wireless

Essentially there a couple of digits within a MAC address that identify it as being randomized.  If any MAC address meets this condition, you can take enforcement profile you wish, deny access, captive portal, etc.

https://www.arubanetworks.com/assets/tg/TD_Mac-Address-Randomization.pdf
Original Message:
Sent: Aug 04, 2022 04:48 PM
From: Shieva Eccles
Subject: ClearPass free hour access to Wireless

I'm curious about your response in blocking all random MAC OUI's.
Is there a paper/process from Aruba on how to implement this?

Original Message:
Sent: Aug 03, 2022 08:05 AM
From: Unknown User
Subject: ClearPass free hour access to Wireless

That makes sense.  I see a couple of options here:

• Block all random MAC OUIs from joining the SSID, or redirect those MAC OUIs to a captive portal informing them they must disable MAC randomization
• Integrate ClearPass with an MDM and force all employees to register with the MDM.  ClearPass can deny any MDM registered device from joining the guest network and also force MAC randomization off.
• Make your guest network subnet larger to encompass employee devices.

Original Message:
Sent: Aug 03, 2022 07:46 AM
From: Samir Rafid
Subject: ClearPass free hour access to Wireless

we use the 1 hour because it is a hospital network and we have patients coming for outpatient so we have the free hour, the problem is employees are not allowed to connect but they use the free hour and keep changing mac addresses during working hours and I get the dhcp pool which is 1022 usable ip exhausted all the time.
Original Message:
Sent: Aug 03, 2022 07:38 AM
From: Unknown User
Subject: ClearPass free hour access to Wireless

Nothing to stop MAC randomizations unfortunately unless you have an MDM.  You could create a splash page portal flow where if the client MAC address matches the random MAC OUIs, you can display a splash page for those clients telling them to disable.  All other client MAC addresses would be granted accept with a session-timeout of one hour and then some other endpoint database attribute to identify that they had already connected for an hour.  

Why even limit it at all to 1 hour though?  What is the use-case?  Why have this negative user experience at all?
Original Message:
Sent: Aug 03, 2022 07:06 AM
From: Samir Rafid
Subject: ClearPass free hour access to Wireless

Hi,

recently we installed new Wireless Controller Aruba 7210.

in the previous setup we had option on old WLC MSM760 to enable free access option for 1 hour. the authentication is done by the MAC address of the device connecting and once the time expires on the controller the device will be disconnected.

will getting Clearpass to enable this option again will also work in the same way? which is mac address based countdown per mac address?

I'm asking this question because I wanted to know if there is any solution done on the "randomize mac address" option on smartphones side to stop user from getting extra connection time....

thanks

Thanks for sharing, very useful, just tested it.




------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Aug 04, 2022 09:08 PM
From: Unknown User
Subject: ClearPass free hour access to Wireless

Here is a fantastic Cisco community page discussing this topic from one of the former ISE TMEs: 

https://community.cisco.com/t5/security-knowledge-base/random-mac-address-how-to-deal-with-it-using-ise/ta-p/4049321

That same regex can easily be used in a ClearPass Role Mapping or enforcement policy as Connection:Client MAC Address Matches_Regex: ^.[26AEae].*

 

Then just take whatever action you want. You could deny that MAC address or redirect them to a captive portal hosted in ClearPass using the Aruba-Captive-Portal-URL VSA.

Original Message:
Sent: 8/4/2022 7:12:00 PM
From: Shieva
Subject: RE: ClearPass free hour access to Wireless

The technical details:

The second character in a MAC address, if it is a 2, 6, A, or E is what identifies it as a randomized MAC address.

• x2:xx:xx:xx:xx:xx
• x6:xx:xx:xx:xx:xx
• xA:xx:xx:xx:xx:xx
• xE:xx:xx:xx:xx:xx

You indicate there is a possibility of using a rule in ClearPass to identify these addresses and send them to another splash page.

I'd like to see an example of the ClearPass service that performs this check.

This issue is starting to occur more frequently, and I'm seeing the clients increase the DHCP scope...
Original Message:
Sent: Aug 04, 2022 05:43 PM
From: Unknown User
Subject: ClearPass free hour access to Wireless

Essentially there a couple of digits within a MAC address that identify it as being randomized.  If any MAC address meets this condition, you can take enforcement profile you wish, deny access, captive portal, etc.

https://www.arubanetworks.com/assets/tg/TD_Mac-Address-Randomization.pdf
Original Message:
Sent: Aug 04, 2022 04:48 PM
From: Shieva Eccles
Subject: ClearPass free hour access to Wireless

I'm curious about your response in blocking all random MAC OUI's.
Is there a paper/process from Aruba on how to implement this?

Original Message:
Sent: Aug 03, 2022 08:05 AM
From: Unknown User
Subject: ClearPass free hour access to Wireless

That makes sense.  I see a couple of options here:

• Block all random MAC OUIs from joining the SSID, or redirect those MAC OUIs to a captive portal informing them they must disable MAC randomization
• Integrate ClearPass with an MDM and force all employees to register with the MDM.  ClearPass can deny any MDM registered device from joining the guest network and also force MAC randomization off.
• Make your guest network subnet larger to encompass employee devices.

Original Message:
Sent: Aug 03, 2022 07:46 AM
From: Samir Rafid
Subject: ClearPass free hour access to Wireless

we use the 1 hour because it is a hospital network and we have patients coming for outpatient so we have the free hour, the problem is employees are not allowed to connect but they use the free hour and keep changing mac addresses during working hours and I get the dhcp pool which is 1022 usable ip exhausted all the time.
Original Message:
Sent: Aug 03, 2022 07:38 AM
From: Unknown User
Subject: ClearPass free hour access to Wireless

Nothing to stop MAC randomizations unfortunately unless you have an MDM.  You could create a splash page portal flow where if the client MAC address matches the random MAC OUIs, you can display a splash page for those clients telling them to disable.  All other client MAC addresses would be granted accept with a session-timeout of one hour and then some other endpoint database attribute to identify that they had already connected for an hour.  

Why even limit it at all to 1 hour though?  What is the use-case?  Why have this negative user experience at all?
Original Message:
Sent: Aug 03, 2022 07:06 AM
From: Samir Rafid
Subject: ClearPass free hour access to Wireless

Hi,

recently we installed new Wireless Controller Aruba 7210.

in the previous setup we had option on old WLC MSM760 to enable free access option for 1 hour. the authentication is done by the MAC address of the device connecting and once the time expires on the controller the device will be disconnected.

will getting Clearpass to enable this option again will also work in the same way? which is mac address based countdown per mac address?

I'm asking this question because I wanted to know if there is any solution done on the "randomize mac address" option on smartphones side to stop user from getting extra connection time....

thanks