MAC Randomization and how to authenticate it?

Solved
adde_x
Comes here often

MAC Randomization and how to authenticate it?

Hi

 

So I ran into some issues with MAB and MAC Randomization and wonder if anyone managed to solve this?

Since mac addresses are randomized, MAB is useless.

We are running MAB now and it works fine because the clients we use do not have this feature, but the additional clients that are introduced have this feature and now I need to figure out a solution and I'm stuck.

Using Freeradius and Meraki, so any advice is appreciated.

 

Regards

Adrian

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

ISE policy rule can be created using a regular expression match against the RADIUS Calling-Station-ID attribute within the RADIUS Access-Request which includes the client MAC on virtually all Cisco devices: ^.[26AEae].*

 

https://community.cisco.com/t5/security-knowledge-base/random-mac-address-how-to-deal-with-it-using-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal

I've seen the option to use regex in other solutions, with Meraki this is not possible, so the only option is to disable the device's mac randomization.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

I recommend you read this article.

 

https://www.cisco.com/c/en/us/products/collateral/wireless/randomized-changing-mac-dg.html

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
adde_x
Comes here often

I did read it but we don't have ISE if that is what you were thinking?

I guess there is no solution to this.

alemabrahao
Kind of a big deal
Kind of a big deal

The idea was for you to read and understand how it works and think about it for the future.

 

With freeradius you won't be able to do that. 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
adde_x
Comes here often

OK thanks for confirming that there is nothing to be done.

alemabrahao
Kind of a big deal
Kind of a big deal

ISE policy rule can be created using a regular expression match against the RADIUS Calling-Station-ID attribute within the RADIUS Access-Request which includes the client MAC on virtually all Cisco devices: ^.[26AEae].*

 

https://community.cisco.com/t5/security-knowledge-base/random-mac-address-how-to-deal-with-it-using-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
adde_x
Comes here often

Yes, I saw the regex as well but that will be valid for devices we dont want in the network as well so that is not an option.

adde_x
Comes here often

Thanks all for the reply.

We do not use ISE therefor regex is not an option.

I could use regex in Freeradius but like i mentioned, most of the devices use "mac randomization" and we only want specific devices on the network so regex is also not a valid solution.

We are looking into putting certificate in the device but the supplier says no so that is why i wondered if anyone managed to find another way to solve this other than turning off that function on the device (that i knew) or regex or ISE.

alemabrahao
Kind of a big deal
Kind of a big deal

Unfortunately not, have you ever thought about using MDM?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
adde_x
Comes here often

3rd party vendor so not an option :(, we do not get to decide what to do with those devices. And there are tens of thousands of them

Get notified when there are additional replies to this discussion.