How to Manage MAC Address Randomization in Dual SSID BYOD ISE 3.3?

ISENAC1122 — Fri, 19 Apr 2024 08:25:19 GMT

Context: I am currently testing a BYOD setup involving dual SSIDs using Cisco ISE 3.3 for mobile devices. The configuration process begins with an open SSID, followed by a secure SSID connection via TLS once the profile and certificate are retrieved from ISE.

Certificate Configuration: The certificate template includes both the GUID and MAC address, ensuring that the certificate issued by ISE contains these fields.

Issue Encountered: The challenge arises with MAC address randomization. For instance, an iPhone may connect to the open SSID using one MAC address and then switch to a different MAC address when connecting to the secure SSID.

Specific Problem: This becomes problematic when attempting to manage device statuses such as marking a device as stolen or lost in my device management portal. The portal only recognizes the MAC address used for the initial open SSID connection, which complicates the security measures for the subsequent secure SSID connection.

Question: How can I address this issue of MAC address discrepancy in dual SSID configurations, particularly when dealing with security protocols and device management? Is there a way to configure the device or ISE settings to recognize or adapt to MAC address randomization?

I appreciate any insights or suggestions from the community. Thank you!
NOTE: I am not using AD here; instead, I am using LDAP.

Re: How to Manage MAC Address Randomization in Dual SSID BYOD ISE 3.3?

Leo Laohoo — Fri, 19 Apr 2024 08:49:18 GMT

Randomized and Changing MAC Deployment Guide

Random MAC Address - How to deal with it using ISE

topic How to Manage MAC Address Randomization in Dual SSID BYOD ISE 3.3? in Network Access Control

How to Manage MAC Address Randomization in Dual SSID BYOD ISE 3.3?

Re: How to Manage MAC Address Randomization in Dual SSID BYOD ISE 3.3?