cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

593
Views
5
Helpful
3
Replies
Highlighted
Beginner

BYOD broken with ANDROID 10 - Wireless Randomised MAC

I have just upgraded my OnePlus 6 to Android 10. It has broken my EAPTLS BYOD service because it now automatically uses Randomised MAC when connecting to wireless networks.

My ISE authorisation policy includes the condition "MAC_in_SAN" which my device now fails on. Remove the condition and it works.

Now you can actually configure it to "Use device MAC" but the default is "Use randomised MAC (default)" BUT To add insult to injury the upgrade has also changed my device Wireless MAC address which also breaks the "MAC_in_SAN" policy condition.

 

Do Cisco have any guidance on this?

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: BYOD broken with ANDROID 10 - Wireless Randomised MAC

First, disabling the ISE policy authorisation condition MAC_in_SAN is not an option. This is part of the security and the only way to check the identity of the client device.

 

I have a fix for a Dual SSID BYOD solution, it's not pretty but it does work on my OnePlus Android. Here is a summary of the process.

 

Devices that currently use a BYOD service.

Devices that currently use a BYOD service (with certificates) but have or want to upgrade to Android 10 will have to re-on-board.

The following menu options may be different on different Android devices but the principle is the same.

Before you re-on-board

  1. Forget both the Open and 802.1X SSID networks on your android device.
  2. Remove the network user credentials.
  3. On the phone: Settings -> Security -> Advanced -> Encryption -> Clear Credentials.

It is recommended to restart the device.

To on-board with Android 10

  1. Connect to 802.1X SSID. It will fail to connect but should then show as a Saved network which should allow you to change its configuration. Configure it to “Use device MAC” (probably under Advanced -> Privicy option).
  2. Connect to Open SSID and configure it to “Use device MAC”
  3. Now disconnect then re-connect to the Open SSID to ensure it now uses the device MAC (perhaps try connecting and disconnecting to another SSID) and proceed with the on-boarding process.
  4. Manually configure the 802.1X SSID with EAP Method (TLS), Certificates (CA and User) and Identity (AD username)

Hope this helps others.

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Re: BYOD broken with ANDROID 10 - Wireless Randomised MAC

That is correct, with Android 10 BYOD registered and MAC-in-SAN condition will not work. What you have is what we recommend. https://community.cisco.com/t5/security-documents/ise-byod-endpoint-notes/ta-p/3857246#toc-hId--1243681234

 

Highlighted
Beginner

Re: BYOD broken with ANDROID 10 - Wireless Randomised MAC

First, disabling the ISE policy authorisation condition MAC_in_SAN is not an option. This is part of the security and the only way to check the identity of the client device.

 

I have a fix for a Dual SSID BYOD solution, it's not pretty but it does work on my OnePlus Android. Here is a summary of the process.

 

Devices that currently use a BYOD service.

Devices that currently use a BYOD service (with certificates) but have or want to upgrade to Android 10 will have to re-on-board.

The following menu options may be different on different Android devices but the principle is the same.

Before you re-on-board

  1. Forget both the Open and 802.1X SSID networks on your android device.
  2. Remove the network user credentials.
  3. On the phone: Settings -> Security -> Advanced -> Encryption -> Clear Credentials.

It is recommended to restart the device.

To on-board with Android 10

  1. Connect to 802.1X SSID. It will fail to connect but should then show as a Saved network which should allow you to change its configuration. Configure it to “Use device MAC” (probably under Advanced -> Privicy option).
  2. Connect to Open SSID and configure it to “Use device MAC”
  3. Now disconnect then re-connect to the Open SSID to ensure it now uses the device MAC (perhaps try connecting and disconnecting to another SSID) and proceed with the on-boarding process.
  4. Manually configure the 802.1X SSID with EAP Method (TLS), Certificates (CA and User) and Identity (AD username)

Hope this helps others.

View solution in original post

Highlighted
Contributor

Re: BYOD broken with ANDROID 10 - Wireless Randomised MAC

The randomized mac should be a setting in the wireless/advanced. Can't you just turn it off?