- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MAC Randomization and how to authenticate it?
Hi
So I ran into some issues with MAB and MAC Randomization and wonder if anyone managed to solve this?
Since mac addresses are randomized, MAB is useless.
We are running MAB now and it works fine because the clients we use do not have this feature, but the additional clients that are introduced have this feature and now I need to figure out a solution and I'm stuck.
Using Freeradius and Meraki, so any advice is appreciated.
Regards
Adrian
Solved! Go to solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ISE policy rule can be created using a regular expression match against the RADIUS Calling-Station-ID attribute within the RADIUS Access-Request which includes the client MAC on virtually all Cisco devices: ^.[26AEae].*
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've seen the option to use regex in other solutions, with Meraki this is not possible, so the only option is to disable the device's mac randomization.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recommend you read this article.
https://www.cisco.com/c/en/us/products/collateral/wireless/randomized-changing-mac-dg.html
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did read it but we don't have ISE if that is what you were thinking?
I guess there is no solution to this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The idea was for you to read and understand how it works and think about it for the future.
With freeradius you won't be able to do that. 😉
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK thanks for confirming that there is nothing to be done.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ISE policy rule can be created using a regular expression match against the RADIUS Calling-Station-ID attribute within the RADIUS Access-Request which includes the client MAC on virtually all Cisco devices: ^.[26AEae].*
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I saw the regex as well but that will be valid for devices we dont want in the network as well so that is not an option.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks all for the reply.
We do not use ISE therefor regex is not an option.
I could use regex in Freeradius but like i mentioned, most of the devices use "mac randomization" and we only want specific devices on the network so regex is also not a valid solution.
We are looking into putting certificate in the device but the supplier says no so that is why i wondered if anyone managed to find another way to solve this other than turning off that function on the device (that i knew) or regex or ISE.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately not, have you ever thought about using MDM?
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3rd party vendor so not an option :(, we do not get to decide what to do with those devices. And there are tens of thousands of them