cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1168
Views
5
Helpful
2
Replies

External MDM and MAC address being off by one character

packetplumber9
Level 1
Level 1

I've run into a bit of an odd issue that i can't find much information for so I'm curious if anyone else who leverages external MDM has seen this.  It seems the API call to our external MDM is querying for the MAC address the mobile device is using when connecting to wireless, but the response is coming back "Not Registered" which is one of our policy checks.  This is weird because it is registered and we found that the MAC address in MDM for the device is off by the last character.  So for example the MDM shows the MAC ends in :AA and ISE is querying for this particular device with the same MAC but the ending is :AB

 

I'm thinking the devices in question, which are almost all Google Pixels, have these consecutive MAC address with one for the 2.4Ghz radio and the other for the 5Ghz radio.  I'm kind of surprised the MDM doesn't seem to know about all MAC addresses on the device.  We have a support ticket going with the MDM provider(Microsoft) but I wanted to share in case another ISE admin is involved in troubleshooting a similar issue. 

2 Replies 2

hslai
Cisco Employee
Cisco Employee

This seems somewhat unusual to have more than one MAC address for Wi-Fi on the same device. Most of mobile devices I've seen are having single Wi-Fi MAC address each and other MAC addresses for other type of connectivities, such as Bluetooth.

packetplumber9
Level 1
Level 1

Follow up now that I believe we have gotten to the bottom of the issue.  On the new Pixel 3 hardware, there are indeed two unique wlan interfaces, and the second one that has it's own MAC is for wifi sharing.  Apparently in these new models, and new Android OS there is the ability to turn on the device's wifi hotspot while currently connected to wifi which is why it would need a separate interface to use them both simultaneously.  I guess the scenario would be in a paid wifi environment, or anywhere you may be restricted to one device, then the user could enable wifi sharing through the hotspot and connect their tablet for example.  

 

The root cause of the issue is that Intune grabs the hotspot interfaces MAC during MDM enrollment instead of the main wifi interface.  This causes the external MDM query to fail from ISE because the MDM doesn't know of the MAC we're seeing on the network. 

 

I'd imagine this Android wifi-sharing may have some interesting security implications as well for some environments, similar to a Windows PC running ICS and having unauthenticated devices piggybacking off of the authenticated interface.