MAC Address Randomization

Any individual device on a modern network has a MAC address which is used to identify the indivual device on the local network.

Historically the MAC address is a unique static identifier. The MAC address is assigned by the manufacturer of the NIC, which means the MAC address doesn’t change from the time it leaves the factory till the time it is reaches the trashbin.

Since the MAC address is (in many cases still) static, the MAC address can be traced based on its movement from hotel, to airport, to shopping mall etc. The MAC address can through the tracing of the MAC address and the behavior/surf patterns of the device be used to profile, trace and locate the person using the device.

In Apple iOS 14, iPadOS 14, and watchOS 7, Apple is changing the default behavior of iOS. A iOS14 device will create a random MAC address in the following scenarios:

1. Create a per-network MAC address
2. Regenerate the per-network MAC address daily - The MAC address is regenerated once every 24 hours. The new address becomes active when you leave and rejoin the network.

My choice of hat is a tinfoil one, so I love the idea of increased privacy, but the change in default behavior poses a problem for solutions in the network that depend on the MAC address to remain static, such as Cisco ISE’s BYOD solution.

• In ISEs BYOD the users can login to the network using their credentials on a web portal.
• On the webportal the user registers their MAC address.
• After the initial register, the user will be identified by their MAC address on the network and thereby avoid a manual login every day.

Users only have to login once. This solution isn’t the most secure solution, as changing the MAC address manually has been a simple task for a very long time, but it is user friendly, and therefore implemented in many networks.

Fortunately Apple allows us to disable the Private Address feature per WiFi network manually, so go inform your users of the coming change in Apple Devices (or reconfigure your MDM), so your BYOD solutions will continue to work.

An alternative (and in my opinion better solution) - Migrate your BYOD solution to a 802.1X solution, where the users are identified by their Username/password or a certificate. 802.1X is supported by most mobile devices today.

Note… The same MAC randomization function is supported in Android, but it is not enabled per default at the time of writing.