Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2991
Views
5
Helpful
3
Replies

BYOD broken with ANDROID 10 - Wireless Randomised MAC

Go to solution
Scott Gillies
Level 1
Level 1

‎01-08-2020 01:29 AM - last edited on ‎03-09-2022 11:25 PM by Community Manager

I have just upgraded my OnePlus 6 to Android 10. It has broken my EAPTLS BYOD service because it now automatically uses Randomised MAC when connecting to wireless networks.

My ISE authorisation policy includes the condition "MAC_in_SAN" which my device now fails on. Remove the condition and it works.

Now you can actually configure it to "Use device MAC" but the default is "Use randomised MAC (default)" BUT To add insult to injury the upgrade has also changed my device Wireless MAC address which also breaks the "MAC_in_SAN" policy condition.

 

Do Cisco have any guidance on this?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Gillies
Level 1
Level 1
In response to howon

‎01-10-2020 01:53 AM - edited ‎01-10-2020 02:16 AM

First, disabling the ISE policy authorisation condition MAC_in_SAN is not an option. This is part of the security and the only way to check the identity of the client device.

 

I have a fix for a Dual SSID BYOD solution, it's not pretty but it does work on my OnePlus Android. Here is a summary of the process.

 

Devices that currently use a BYOD service.

Devices that currently use a BYOD service (with certificates) but have or want to upgrade to Android 10 will have to re-on-board.

The following menu options may be different on different Android devices but the principle is the same.

Before you re-on-board

  1. Forget both the Open and 802.1X SSID networks on your android device.
  2. Remove the network user credentials.
  3. On the phone: Settings -> Security -> Advanced -> Encryption -> Clear Credentials.

It is recommended to restart the device.

To on-board with Android 10

  1. Connect to 802.1X SSID. It will fail to connect but should then show as a Saved network which should allow you to change its configuration. Configure it to “Use device MAC” (probably under Advanced -> Privicy option).
  2. Connect to Open SSID and configure it to “Use device MAC”
  3. Now disconnect then re-connect to the Open SSID to ensure it now uses the device MAC (perhaps try connecting and disconnecting to another SSID) and proceed with the on-boarding process.
  4. Manually configure the 802.1X SSID with EAP Method (TLS), Certificates (CA and User) and Identity (AD username)

Hope this helps others.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
howon
Cisco Employee
Cisco Employee

‎01-08-2020 08:35 AM

That is correct, with Android 10 BYOD registered and MAC-in-SAN condition will not work. What you have is what we recommend. https://community.cisco.com/t5/security-documents/ise-byod-endpoint-notes/ta-p/3857246#toc-hId--1243681234

 

Go to solution
Scott Gillies
Level 1
Level 1
In response to howon

‎01-10-2020 01:53 AM - edited ‎01-10-2020 02:16 AM

First, disabling the ISE policy authorisation condition MAC_in_SAN is not an option. This is part of the security and the only way to check the identity of the client device.

 

I have a fix for a Dual SSID BYOD solution, it's not pretty but it does work on my OnePlus Android. Here is a summary of the process.

 

Devices that currently use a BYOD service.

Devices that currently use a BYOD service (with certificates) but have or want to upgrade to Android 10 will have to re-on-board.

The following menu options may be different on different Android devices but the principle is the same.

Before you re-on-board

  1. Forget both the Open and 802.1X SSID networks on your android device.
  2. Remove the network user credentials.
  3. On the phone: Settings -> Security -> Advanced -> Encryption -> Clear Credentials.

It is recommended to restart the device.

To on-board with Android 10

  1. Connect to 802.1X SSID. It will fail to connect but should then show as a Saved network which should allow you to change its configuration. Configure it to “Use device MAC” (probably under Advanced -> Privicy option).
  2. Connect to Open SSID and configure it to “Use device MAC”
  3. Now disconnect then re-connect to the Open SSID to ensure it now uses the device MAC (perhaps try connecting and disconnecting to another SSID) and proceed with the on-boarding process.
  4. Manually configure the 802.1X SSID with EAP Method (TLS), Certificates (CA and User) and Identity (AD username)

Hope this helps others.

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP

‎01-10-2020 12:20 PM

The randomized mac should be a setting in the wireless/advanced. Can't you just turn it off?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents