Solved: Re: MAC Randomization and how to authenticate it?

adde_x · ‎02-21-2024

Hi

So I ran into some issues with MAB and MAC Randomization and wonder if anyone managed to solve this?

Since mac addresses are randomized, MAB is useless.

We are running MAB now and it works fine because the clients we use do not have this feature, but the additional clients that are introduced have this feature and now I need to figure out a solution and I'm stuck.

Using Freeradius and Meraki, so any advice is appreciated.

Regards

Adrian

aleabrahao · ‎02-23-2024

ISE policy rule can be created using a regular expression match against the RADIUS Calling-Station-ID attribute within the RADIUS Access-Request which includes the client MAC on virtually all Cisco devices: ^.[26AEae].*

https://community.cisco.com/t5/security-knowledge-base/random-mac-address-how-to-deal-with-it-using-ise/ta-p/4049321

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

aleabrahao · ‎02-22-2024

I've seen the option to use regex in other solutions, with Meraki this is not possible, so the only option is to disable the device's mac randomization.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

aleabrahao · ‎02-22-2024

I recommend you read this article.

https://www.cisco.com/c/en/us/products/collateral/wireless/randomized-changing-mac-dg.html

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

adde_x · ‎02-22-2024

I did read it but we don't have ISE if that is what you were thinking?

I guess there is no solution to this.

aleabrahao · ‎02-23-2024

The idea was for you to read and understand how it works and think about it for the future.

With freeradius you won't be able to do that. 😉

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

adde_x · ‎02-23-2024

OK thanks for confirming that there is nothing to be done.

aleabrahao · ‎02-23-2024

ISE policy rule can be created using a regular expression match against the RADIUS Calling-Station-ID attribute within the RADIUS Access-Request which includes the client MAC on virtually all Cisco devices: ^.[26AEae].*

https://community.cisco.com/t5/security-knowledge-base/random-mac-address-how-to-deal-with-it-using-ise/ta-p/4049321

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

adde_x · ‎02-22-2024

Yes, I saw the regex as well but that will be valid for devices we dont want in the network as well so that is not an option.

adde_x · ‎02-23-2024

Thanks all for the reply.

We do not use ISE therefor regex is not an option.

I could use regex in Freeradius but like i mentioned, most of the devices use "mac randomization" and we only want specific devices on the network so regex is also not a valid solution.

We are looking into putting certificate in the device but the supplier says no so that is why i wondered if anyone managed to find another way to solve this other than turning off that function on the device (that i knew) or regex or ISE.

aleabrahao · ‎02-23-2024

Unfortunately not, have you ever thought about using MDM?

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

adde_x · ‎02-23-2024

3rd party vendor so not an option :(, we do not get to decide what to do with those devices. And there are tens of thousands of them