Mobile endpoints utilizing random MAC address is nothing new. But the way it is utilized has changed since it was first introduced. In the beginning, the randomization of MAC was used to probe for known wireless networks by the devices. By randomizing the MAC address used in the probe request frame, devices were able to hide real MAC address thus providing some level of privacy. Fast forward few years, now devices started using random MAC addresses for the association to the wireless networks. This causes issue on the network elements which relies on MAC addresses to uniquely identify the endpoint or the user behind it. The implementations of MAC randomization are different depending on the vendor but here are few examples of the behavior:
Can setup randomization per network profile (SSID)
Randomization is enabled by default out-of-the-box
Once random MAC is used for a given network profile, device will keep using the same random MAC even after user deletes the network profile and recreates the profile
Randomization enabled upon update to iOS 14 from previous versions of iOS for existing SSIDs
Although this document is focused on ISE, it should be noted that the impact doesn’t stop with ISE. As MAC address as a unique identifier is hard-coded into products and solutions throughout Cisco and 3rd party, which includes MDM/EMM, wireless performance monitoring, and device profiling systems. ISE or wireless authentication system is in a unique position in the network to control the use of random MAC address for the rest of the network. The good news is that generation of random MAC follows rules set by IEEE. As noted in the diagram below, locally significant address 2’s bit of first byte is set to one. Any MAC address that has locally significant bit set as one and is also a unicast address can be considered a random MAC address.
So based on the rule, all of the numbers below would qualify as a random MAC address. For a simple rule, any MAC address’ first octet that ends 2,6,A,E would be a random MAC address.
With this, ISE policy rule can be created using a regular expression match against the RADIUS Calling-Station-ID attribute within the RADIUS Access-Request which includes the client MAC on virtually all Cisco devices: ^.[26AEae].*
Now that ISE can detect the random MAC, here are few options to consider:
1. Deny Access
User will not be able to connect to the wireless network
Bad experience as there could be many other reasons that user cannot connect to the network
2. Deny Access + Instructions
User will be able to connect, but will be redirected to a help page instructing user to disable random MAC feature for this network
Best option, if you do not want random MAC to enter the network.
3. Permit Access + Short session timeout
User will be able to connect, but after the device goes to sleep and awakes, user will be asked to login again
4. Permit Access + Short purge cycle
User will be able to connect, but user will be asked to login after X # of days
5. Permit Access + Consent
User will be prompted but can bypass and gain same level of access as unique MAC
6. Permit Access
User will be able to connect and there are no difference between random MAC and unique MAC
Note: Option 3-6 can be augmented with additional permission to restrict bandwidth, ACL, VLAN, etc. if needed.
I'm getting the following error when connecting from my anyconnect for android mobile "Connection attempt has failed due to server communication errors. please retry the connection" While the connection is working from my PC using anyconnect client.
hi, i used ftd in version 188.8.131.52 AND MY FMC SERVER IN 184.108.40.206 i have this message when i add my ftd in my fmc i use this cimmande "configure manager add X.X.X.X pass "getPeersByRole: unable to connect to db at /ngfw/usr/local/sf/lib...
Hi, We are presently having Cisco vISE version 2.3 with 1 ADM & 2 PSN node deployment. As version 2.3 is out of Cisco TAC support, we are planning to do a parallel vISE implementation to stable supported version. Please let me know, latest s...
I am wondering how to create an ACL for this scenario:LAN-A connected to Router-1 on fa0/0 and subnet is 220.127.116.11/24LAN-B connected to Router-1 on fa0/1 and subnet is 18.104.22.168/24 ACL requirement:LAN-A can initiate and continue the conversat...
Question I have a Cisco ISE 2.6 rel. and i need to monitor his cpu, ram and storage trought my NMS Nagios. i configured correctly snmp v3 on cisco ise and from nagios side it can be pinged or snmpwalk to see entire mib. Are there oid that p...