Text only | Text with Images

Networking-Forums.com

Professional Discussions => Security => Topic started by: deanwebb on June 01, 2015, 09:39:30 AM

Title: MAC Bypass and iPhone6
Post by: deanwebb on June 01, 2015, 09:39:30 AM
iPhone 6 on iOS 8.0.2 and later will randomize MAC addresses, which is a cool idea to keep from being tracked as your phone sends out wifi probes. Although there were some initial glitches, the latest and greatest version of iOS seems to be doing that MAC randomization thing pretty well.

Which means trouble when connecting to an 802.1X wireless guest network that places the MAC address of a device with a successful user login into a MAC bypass list... guy logs in with iPhone, gets on the network. Walks out, walks back in, iPhone is not on wifi, so it randomizes MAC address and user has to register... but then the device connects and the MAC goes back to what it was, so the user doesn't have to register. Except he never logged back on, either, so... hrmmm... looks like we need to re-write that 802.1X policy to account for those iDevices having random fun.

:tmyk:
Title: Re: MAC Bypass and iPhone6
Post by: Otanx on June 01, 2015, 07:22:19 PM
Is this still bugged? I remember that the MAC randomization did not work if the device had either Location Services enabled, or had a cellular data connection. So I would say 99% or more of the devices out there would not be using the randomization. I don't do wireless so didn't really bother me much.

-Otanx
Title: Re: MAC Bypass and iPhone6
Post by: deanwebb on June 01, 2015, 08:21:53 PM
Just saw two cases of it on our test network. We're none too pleased, I assure you.
Title: Re: MAC Bypass and iPhone6
Post by: killabee on June 02, 2015, 02:12:12 PM
Thanks for sharing!  This is going to suck for MAB authentication (based on identity store) on ISE.  Do you have reference material for this?
Title: Re: MAC Bypass and iPhone6
Post by: deanwebb on June 02, 2015, 02:32:25 PM
There's some info on the MAC address thing with iPhones in a few tech mag articles, but it deals mostly with end-user inconvenience. I don't have any docs on its impact on NAC: we're just now starting to see it.
Title: Re: MAC Bypass and iPhone6
Post by: SimonV on June 02, 2015, 04:24:42 PM
Is it a complete MAC randomization, or does the OUI stay the same?
Title: Re: MAC Bypass and iPhone6
Post by: deanwebb on June 02, 2015, 05:14:46 PM
Quote from: SimonV on June 02, 2015, 04:24:42 PM
Is it a complete MAC randomization, or does the OUI stay the same?
Good question. I need to see more of the MACs from these phones to get an idea.
Title: Re: MAC Bypass and iPhone6
Post by: wintermute000 on June 02, 2015, 09:11:36 PM
I guess this is finally going to get everyone off their butts re: the longstanding de-facto assumption that (easily spoofed) MAC = identity.
Ironically its 'good' that its the fruit phone, since its going to be so high profile nobody can afford to just ignore it as a niche case.
Keep us posted on best 802.1x practice in this scenario
Title: Re: MAC Bypass and iPhone6
Post by: deanwebb on June 03, 2015, 07:53:47 AM
For the corporate-managed phones, it'll be MDM and certificates. For the guest network... perhaps permission from the guest to install a dissolvable client prior to accessing the network?
Title: Re: MAC Bypass and iPhone6
Post by: wintermute000 on June 03, 2015, 04:39:56 PM
Guest will be the killer. Pki has been standard for dot1x for a while now
Text only | Text with Images