Using Hotspot Portal to Instruct Users on Disabling MAC Address Randomization

Available Languages

Download Options

  • ePub     (180.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (165.9 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 16, 2020
Document ID:216021

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

With the release of Android 10 and iOS 14, MAC Address Randomization was introduced to attempt to prevent users from being tracked based on their wireless MAC address. This is good for privacy when joining hotspot networks but makes device tracking difficult in an enterprise environment, especially when attempting to profile these devices or use a Mobile Device Manager to ensure the device is compliant with an orginization's security policy before gaining network access.

For the profiling and MDM services, end users can be instructed to disable MAC randomization on the device before getting intended network access. This can be achieved by redirecting users to a modified hotspot page that provides instructions to disable MAC randomization when the device is using a random MAC address to connect to the network. Once MAC randomization is disabled, the user can connect normally.

Configuration

      1. Navigate to Administration > Identity Management > Groups, select Endpoint Identity Groups and select Add to create new endpoint group called Random_MAC_Endpoints
      2. Navigate to Work Centers > Guest Access > Portals & Components, select Guest portals and select Create to create new hotspot guest portal called Random MAC Detected
      3. Under Portal Settings, select endpoint group created above for the Endpoint identity group
      4. Select Portal Page Customization
      5. Under Text Elements, change Banner title to Random MAC detected
      6. Select Acceptable Use Policy
      7. Change Content Title to: Your device is using random MAC address
      8. Add following text to the Instructional Text page:

        Please change the network setting on your device to use global MAC address instead of random MAC address to gain network access.

        Further instructions can also be provided with specifics on disabling MAC Randomization per SSID or globally on the device.
      9. Add following optional content on the AUP page to remove hotspot portal elements (Make sure to select Toggle HTML Source button before and after pasting in the script): 
        <script>
    (function(){
       jQuery('.cisco-ise-aup-text').hide();
       jQuery('.cisco-ise-aup-controls').hide();
       setTimeout(function(){ jQuery('#portal-session-timeout-popup-screen, #portal-session-timeout-popup-popup, #portal-session-timeout-popup').remove(); }, 100);
      })();
  </script>
      10. Other settings on this page can be changed to provide instructions on how to modify the MAC randomization setting on the devices, once done select Save
      11. Create Authorization profile called Random_MAC to redirect to the page created above
      12. Create Authorization policy rule to use Random_MAC with condition that matches on any Randomized MAC address for any SSIDs to deny random MAC address. Here, regex string matching condition (MATCHES ^.[26AEae].*) is used to identify random MAC address that utilizes locally significant bit of the MAC address which both Android and iOS devices follow

Device Specific Instructions

The following are steps that the user can be instructed to complete for some common devices. Vendors of specific devices could have slightly different steps for disabling MAC Randomization on their devices.

Android:

  1. Open the Settings app.
  2. Select Network and Internet.
  3. Select WiFi.
  4. Ensure you are connected to the corporate SSID.
  5. Tap the gear icon next to the current WIFI connection.
  6. Select Advanced.
  7. Select Privacy.
  8. Select Use Device MAC.

Apple:

Apple has publish an article with instructions on disabling MAC Randomization on their devices:

https://support.apple.com/en-us/HT211227

Windows:

As of the writing of this article, randomized MAC addresses are disabled by default on Windows but a user can choose to turn it on, here are instructions on disabling the feature if enabled:

  • Disable 'Use random hardware addresses' for all networks:

    1. Select the Start button, then select Settings > Network & Internet > Wi-Fi .

    2. Set the slider to "Off" under Use random hardware addresses.

  • Disable 'Use random hardware addresses' for a specific network:

    1. Select the Start button, then select Settings > Network & Internet > Wi-Fi > Manage known networks.

    2. Choose a network, then select Properties.

    3. Under Use random hardware addresses for this network use the drop down to select "Off".

TAC Authored

Contributed by Cisco Engineers

  • Hosuk Won
    ISE PM
  • Jesse Dubois
    TAC Technical Leader

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products