Security

Reply
New Contributor

MAC Randomization - Will it use extra ClearPass licenses and/or cause excessive endpoint DB size?

We're seeing a small number of users enabling MAC randomization on our network. We have 4 25k VA CPPM servers. We recently added the 4th to accomodate usage.

 

I'm wondering if MAC randomization will start to use up more clearpass licenses?

Also, regardless of the above, will I need to clean up my endpoint database more often being that a user technically could have a different MAC every day if not more?

 

I haven't looked into it too much at this point. Thought I'd post here while I research.

Guru Elite

Re: MAC Randomization - Will it use extra ClearPass licenses and/or cause excessive endpoint DB size

No, MAC address randomization that is enabled by default on some devices is only used prior to association to the network (during probing). When the client associates and is subsequently authenticated by ClearPass, the real MAC address is presented to the controller and thus ClearPass.

The one exception to this is Windows 10 can be configured to use a different MAC address per SSID. This is disabled by default and most people don’t even know how to turn it on, so it shouldn’t be an issue for you.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: MAC Randomization - Will it use extra ClearPass licenses and/or cause excessive endpoint DB size

That is partly the case but not all of it. There is a setting to pick a new random MAC every day and it is used to associated not just for beaconing. We have some evidence of this. Again, stil digging.

Occasional Contributor I

Re: MAC Randomization - Will it use extra ClearPass licenses and/or cause excessive endpoint DB size

Hi I wonder if anyone can help, Ive hot this issue where a device is using a different mac upon association. I have a clear pass rule that only allows for the user to have a maximun of 20 devices and on teh sixth device he gets a role that gives him 512kbps.

The issue I am seeing is that because of the mac randomization upon association the users are hitting 20 devices within a couple days even though he has one or two physical devices. 

Is anyone else seein this as well as is there any fix yet?

This started about 6minths ago and as the OS of devices is progressing im seeing more and more of this. 

 

Our use case is 6 x 25k CPPM and over 75000 students so you can see how this would be affecting us.

 

Dean 

 

See atached File.

Guru Elite

Re: MAC Randomization - Will it use extra ClearPass licenses and/or cause excessive endpoint DB size

You might have a different issue.  On IOS, mac randomization should happen only when scanning for networks.  When the device connects, it always uses the same mac address.  On Windows 10, it will connect with a random mac address, but it should use the same mac address for the same network:  http://www.mathyvanhoef.com/2016/03/how-mac-address-randomization-works-on.html

EDIT:  What I wrote above was already detailed in a post before.

 

You should see if you can get your hands on the device or speak to the user to possibly understand what is happening.  That 20 number just means that the user has registered 20 devices with the same username.  It is possible that the user has registered multiple devices for other people or is using a hack to change their mac address.

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor I

Re: MAC Randomization - Will it use extra ClearPass licenses and/or cause excessive endpoint DB size

Hi Colin thanks for the reply. 

The issue is its the same device its not a person registring his friends devices with his username. 

 

What is happening on a endpoint level is that every day the device connects it uses a different mac address.

 

Even if it was a guy connecting his friends devices with his username what is the chances all his friends have the exact same device and the same first two octets in teh mac address starting with "ce:b0", also why would all his friends devices be "unkown" and no fingerprint?

 

Seems strange to me and this is seen more and more everyday.

 

Any idea?

 

Thanks again for the help.

 

 

Guru Elite

Re: MAC Randomization - Will it use extra ClearPass licenses and/or cause excessive endpoint DB size

A device should only use excess licenses if it is actually used for authenitcarion. If that is the case, in my opinion you have every right to contact him and make him bring his device in. Hopefully you have a policy that prohibits that type of behavior that you can stand behind.

What type of authentication is being used on your network? If it is Captive Portal, he could also be spoofing his browser agent, if you are not using DHCP fingerprinting on clearpass.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor I

Re: MAC Randomization - Will it use extra ClearPass licenses and/or cause excessive endpoint DB size

Hi Colin. 

 

Thanks for the reply. 

 

Its using EAP-PEAP auth. Im not worried about the license utilization, my big concern is with these devices behaving like this we cannot implement device count limitations as one device shows up as many devices. 

 

We do have policies and can get the device but thats not the issue here, the issue is the device is behaving in a way that its using different mac addresses upon authentication which breaks many things in clear pass as you would know and its happing on more and more devices as time goes on.

 

Any suggestions?

 

Guru Elite

Re: MAC Randomization - Will it use extra ClearPass licenses and/or cause excessive endpoint DB size


If it "breaks many things" in your system, put a stop to it and disable the account. Students will play endless games of cat and mouse and unless you put a stop to it, you are going to consume endless time working on this. I am sure other people have much better (rational) advice and I hope they can chime in with something much better.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor I

Re: MAC Randomization - Will it use extra ClearPass licenses and/or cause excessive endpoint DB size

Thanks Colin. 

 

Its not that easy to just stop it when its not the students fault or the student trying to play games, its a technology issue on the student device that he is not aware of. 

 

Lets hope someone chimes in and sees if there is a possible fix for this on clear pass by adjusting a query or doing an extra endpoint tag or check etc.

 

Thanks for the help.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: