topic Re: iOS IP Conflicts in Wireless

iOS IP Conflicts

TimBisel — Thu, 24 Sep 2020 17:55:16 GMT

I have multiple sites sending alerts for IP conflicts recently. It is only iPhones, and only on our wireless. I have SSIDs and a VLAN setup dedicated just to mobile phones, and the MX running as DHCP server for that VLAN. This was not an issue until two or three weeks ago but we are getting two to three alerts for different sites almost every day. Anyone have any idea where to start looking on how to fix this? Is this another iOS bug?

Re: iOS IP Conflicts

kYutobi — Thu, 24 Sep 2020 18:09:57 GMT

Check network settings. iOS made an update that randomizes MAC addresses.

https://community.meraki.com/t5/Wireless-LAN/MAC-Randomization-using-IOS14-and-Android-10-and-above/m-p/98354

Re: iOS IP Conflicts

Brandon Svec — Thu, 24 Sep 2020 18:17:18 GMT

iOS 14 makes randomizes MAC addresses default. You have some options. You can turn that feature off in network settings on the devices, you can disable the annoying alerts from Meraki Dashboard. You can try a shorter DHCP lease time.

There are probably other options too. It is not an Apple bug or specific to Apple though. AFAIK, Android and Windows, etc. do this also, but may not be enabled at default. Since Apple prides itself on their privacy and security posture it makes sense they turned it on at default.

I know I am drifting off topic, but ultimately this is a "good thing" because MAC addresses are way too easy to connect to a person and that means good and bad actors can track you too easily and without your permission so it needs to stop somehow..

Re: iOS IP Conflicts

Asavoy — Thu, 24 Sep 2020 18:20:26 GMT

On Sept 1, Apple released the 13.7 update that pertains to Covid tracing. My guess, since it's only started happening in the last couple weeks and only to iPhones, is the update is intent on trying to keep the same IP address for continuity of tracking. We all know how that goes when it comes to DHCP requests.

ETA- iOS 14 is only a week old, so while the randomized MAC address might be the issue, it wouldn't have started a couple weeks ago.

Re: iOS IP Conflicts

Gryffindor1 — Thu, 24 Sep 2020 18:49:37 GMT

This is from Apple and what is causing this issue.

Use private Wi-Fi addresses in iOS 14, iPadOS 14, and watchOS 7

To further protect your privacy, your iPhone, iPad, iPod touch, or Apple Watch can use a different MAC address with each Wi-Fi network.

To communicate with a Wi-Fi network, a device must identify itself to the network using a unique network address called a media access control (MAC) address. If the device always uses the same Wi-Fi MAC address across all networks, network operators and other network observers can more easily relate that address to the device's network activity and location over time. This allows a kind of user tracking or profiling, and it applies to all devices on all Wi-Fi networks.

To reduce this privacy risk, iOS 14, iPadOS 14, and watchOS 7 use a different MAC address for each Wi-Fi network. This unique, static MAC address is your device's private Wi-Fi address for that network only.

Re: iOS IP Conflicts

wtesolutions — Thu, 24 Sep 2020 18:55:24 GMT

Thanks - This is a big help. We were wondering why we kept getting conflict alerts all of a sudden.

Re: iOS IP Conflicts

alexapie — Thu, 24 Sep 2020 19:56:43 GMT

Hey everyone, MX Support Specialist chiming in here.

We opened up a case with Apple this morning, because it looks like iOS devices with this feature enabled are doing something a little weird with ARP requests:

If you look at frame 548 in that packet capture screenshot, you can see that it's an ARP response sourced from one MAC address, but saying that the IP in question belongs to a completely different MAC address.

Then, later on, in 964, you see it respond again, but this time it says the IP, correctly, belongs to the same MAC as what's seen in the Ethernet source address.

It's this disparity that's causing these duplicate IP alerts, because MX's rely on ARP mappings to verify that two devices aren't trying to both use the same IP address.

Once we have a better idea on how they plan to address this, I'll be sure to share what updates I can provide here.

Re: iOS IP Conflicts

Brandon Svec — Thu, 24 Sep 2020 20:12:52 GMT

Thanks @alexapie Good to know. Subscribing to and bookmarking this post now..

Not totally off topic, but I read about a change to the way iOS 14 handles DNS today. You might be interested: https://mailman.nanog.org/pipermail/nanog/2020-September/209823.html

Best.

Re: iOS IP Conflicts

JohnD3 — Sun, 27 Sep 2020 17:11:13 GMT

@alexapie I believe this is the way Apple handles Bonjour sleep proxying, but recently it seems to have extended to more devices than just Apple TVs and HomePods that respond to ARPs on behalf of a sleeping client. It seems like if a client wants to go into deep sleep, it picks another awake client to answer on behalf of its IP.

Re: iOS IP Conflicts

TimBisel — Mon, 28 Sep 2020 12:26:29 GMT

Took DHCP leases down to an hour, still getting these stupid alerts. Dont want to disable the alerts, but we currently do not have MDM. So looks like I am going to be losing alerting for this... Fun.

Re: iOS IP Conflicts

Odysseycommunity — Thu, 01 Oct 2020 22:10:32 GMT

I notice Apple released an update in the last day or two. I just installed it and the notes referenced a bug fix that might help the phone get on a wifi network. Anyone know if this fixed our problem?

Re: iOS IP Conflicts

alexapie — Thu, 01 Oct 2020 22:13:21 GMT

Unfortunately, we tested iOS 14.0.1 this morning, and still noticed the same bug; we submitted our findings to Apple today, so hopefully that means we'll have some kind of update to share on this soon.

Re: iOS IP Conflicts

alexapie — Tue, 06 Oct 2020 15:26:33 GMT

Apple's currently investigating our report, and isn't asking for any new data. As before, once I have more to share, I will do so.

Re: iOS IP Conflicts

stefbauer — Wed, 07 Oct 2020 14:51:40 GMT

For those that are using Microsoft Intune to manage devices - and have a configuration profile that is pushing the SSID/Login information from Intune via MDM - there is now an option in the configuration that allows for "Disable MAC address Randomization" - or as was previously suggested, you can ask your users to set that on their devices as suggested by apple: https://support.apple.com/en-us/HT211227

Re: iOS IP Conflicts

J-Edge — Tue, 13 Oct 2020 18:52:26 GMT

Thanks for following up @alexapie! Replying to this thread so that I can follow it and add my voice to the choir - this has been an issue for us as well. Hopeful for a resolution!

Re: iOS IP Conflicts

Daltross — Wed, 14 Oct 2020 20:26:13 GMT

Please be aware that the ability to disable MAC randomization via MDM profile may also be subject to an Apple side bug.

If the option to disable MAC randomization is selected, the user still has the ability to re-enable it within the UI. Meraki has also sent feedback for this issue as well.

This behavior is observable via profiles created directly within Apple Configurator which suggests that this may only be resolved through a future iOS update.

Re: iOS IP Conflicts

ryan@abs-solutions.com — Mon, 19 Oct 2020 19:30:57 GMT

This is creating issues. Some of the suggestions do not really work. If i have a guest network using meraki dhcp i can not disable random mac via MDM. Any way to adjust alerts so we can get ip conflict alerts based on dhcp scopes

Re: iOS IP Conflicts

TimBisel — Mon, 19 Oct 2020 19:33:54 GMT

I dont think there is a way to limit the alerts on a per-scope or VLAN. I think that might end up being the Meraki work around though. Seems like Android is going to do a similar thing.

Re: iOS IP Conflicts

alexapie — Tue, 20 Oct 2020 15:04:39 GMT

Hey everyone,

So we're clear here, you should not need to be implementing any workarounds for this based on what is expected behavior on Apple's (and hopefully Android's) part - we're trying to test a new release from Apple that should hopefully have this resolved.

Re: iOS IP Conflicts

shaun.oliver — Wed, 21 Oct 2020 08:56:25 GMT

I’m seeing this behaviour even when MAC randomisation (Private Address setting on the iOS device) is Disabled.

Hopefully Apple has a fix soon.