13

Context: I (among other things) manage some servers for my students' club so I have first-hand information about anything network or server-related that happens. We basically run a big enterprise network and we allow devices to connect if a person has paid their membership and the device's MAC address (be it wireless or ethernet) is recognized by our switches/aruba controllers.

Story: So today a first complaint about "the wifi not working" came in because of Android 10 and its MAC randomization. We deal with MAC randomization on Windows laptops and PCs but I think it is disabled by default so we almost never get this type of complaint.
It took one of the other guys probably 5 minutes to figure out how to disable it... only to discover it is a per-network setting.

The actual question: If there are any network administrators here on devRant - how do you deal with this MAC filtering vs MAC randomization issue?

Comments
  • 10
    In my experience MAC address filtering is flawed for this reason and because plenty of open source networking software exists to spoof MAC addresses. If you only want approved devices to connect, rely on WPA2 enterprise and make sure your LDAP solution is relatively secure.

    If you really want that “just members only” feel you could also look into certificate based access which would absolutely work but requires users to accept certificates on their device.
  • 1
  • 0
    @Diactoros our network IS using WPA2-Enterprise and a radius server with certificates, we just don't want people giving their credentials to others, that's why we are using "MAC filtering" (on switches it is more like MAC whitelisting because we only want people to connect via ethernet in their rooms)
  • 0
    @Diactoros I thought me mentioning "enterprise network" kinda implied we are using wpa2-enterprise and radius
  • 0
    I’ve been surprised by some of the “enterprise” networks I’ve seen so I try not to assume. Sounds like a good setup then. If you don’t trust your users I’m not sure there’s a good solution for what you’re trying to do with MAC address filtering. In untrusted environments I’ve always had the luxury of wired only connections so you can have switches turn off the connection when the MAC changes on the other end. I don’t know how to replicate that with WiFi.
  • 0
    @Diactoros we got that solved, the controller will not connect the device... what I am trying to figure out is how to deal with this MAC randomization (is there anything else we could use to uniquely identify a device?)
  • 0
    Not that I know of built into TCP/IP. That’s a really interesting problem though. If it’s that important for your environment to deny individual mobile devices, even with proper credentials, perhaps there is an MDM solution you could enroll your users mobile devices in that does this for you on layer 7?
Add Comment