Meraki

Community

MAC Randomization and how to authenticate it?

Solved
adde_x
Comes here often
‎Feb 21 2024 11:41 PM
‎Feb 21 2024 11:41 PM

MAC Randomization and how to authenticate it?

Hi

 

So I ran into some issues with MAB and MAC Randomization and wonder if anyone managed to solve this?

Since mac addresses are randomized, MAB is useless.

We are running MAB now and it works fine because the clients we use do not have this feature, but the additional clients that are introduced have this feature and now I need to figure out a solution and I'm stuck.

Using Freeradius and Meraki, so any advice is appreciated.

 

Regards

Adrian

0 Kudos
1 Accepted Solution
In response to adde_x
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 23 2024 4:26 AM
‎Feb 23 2024 4:26 AM

ISE policy rule can be created using a regular expression match against the RADIUS Calling-Station-ID attribute within the RADIUS Access-Request which includes the client MAC on virtually all Cisco devices: ^.[26AEae].*

 

https://community.cisco.com/t5/security-knowledge-base/random-mac-address-how-to-deal-with-it-using-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

0 Kudos
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 22 2024 12:56 AM
‎Feb 22 2024 12:56 AM

I've seen the option to use regex in other solutions, with Meraki this is not possible, so the only option is to disable the device's mac randomization.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 22 2024 1:58 PM
‎Feb 22 2024 1:58 PM

I recommend you read this article.

 

https://www.cisco.com/c/en/us/products/collateral/wireless/randomized-changing-mac-dg.html

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
adde_x
Comes here often
‎Feb 22 2024 10:48 PM
‎Feb 22 2024 10:48 PM

I did read it but we don't have ISE if that is what you were thinking?

I guess there is no solution to this.

0 Kudos
In response to adde_x
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 23 2024 3:20 AM
‎Feb 23 2024 3:20 AM

The idea was for you to read and understand how it works and think about it for the future.

 

With freeradius you won't be able to do that. 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
adde_x
Comes here often
‎Feb 23 2024 4:12 AM
‎Feb 23 2024 4:12 AM

OK thanks for confirming that there is nothing to be done.

0 Kudos
In response to adde_x
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 23 2024 4:26 AM
‎Feb 23 2024 4:26 AM

ISE policy rule can be created using a regular expression match against the RADIUS Calling-Station-ID attribute within the RADIUS Access-Request which includes the client MAC on virtually all Cisco devices: ^.[26AEae].*

 

https://community.cisco.com/t5/security-knowledge-base/random-mac-address-how-to-deal-with-it-using-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
adde_x
Comes here often
‎Feb 22 2024 10:46 PM
‎Feb 22 2024 10:46 PM

Yes, I saw the regex as well but that will be valid for devices we dont want in the network as well so that is not an option.

0 Kudos
adde_x
Comes here often
‎Feb 23 2024 4:42 AM
‎Feb 23 2024 4:42 AM

Thanks all for the reply.

We do not use ISE therefor regex is not an option.

I could use regex in Freeradius but like i mentioned, most of the devices use "mac randomization" and we only want specific devices on the network so regex is also not a valid solution.

We are looking into putting certificate in the device but the supplier says no so that is why i wondered if anyone managed to find another way to solve this other than turning off that function on the device (that i knew) or regex or ISE.

0 Kudos
In response to adde_x
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 23 2024 4:45 AM
‎Feb 23 2024 4:45 AM

Unfortunately not, have you ever thought about using MDM?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
adde_x
Comes here often
‎Feb 23 2024 4:47 AM
‎Feb 23 2024 4:47 AM

3rd party vendor so not an option :(, we do not get to decide what to do with those devices. And there are tens of thousands of them

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.