Historically wireless clients associate to the wireless network using the manufacturer assigned mac address that is associated with the wireless network interface card (NIC). This manufacturer-assigned mac address, which is globally unique, is also known as burn-in address (BIA). Use of this burn-in address everywhere raises the question of end-user privacy as the end-user can be tracked with WIFI’s mac address. In this document, this will be referred to as normal mac (address), in contrast to the random mac (address).
To improve end-user privacy, various operating system vendors (Apple iOS 14, Android 10 and Windows 10) are enabling the use of the locally administered mac address (LAA), also referred to as the random mac address for WIFI operation. When wireless endpoint is associated with random mac address, the MAC address of the endpoint changes over time.
The random mac address was limited to probe for known wireless networks. This is now expanded to association to the wireless networks. While this works well for the privacy of the end-user, it brings unique challenges to the Enterprise IT admin, who has been depending so far on the unique endpoint identity as the basis for driving policies. This will also affect different WIFI deployment models e.g., Guest, BYOD (Bring Your Own Device) and location analytics, etc. which rely on the uniqueness of the mac address.
To address and alleviate the issues due to the usage of random MAC addresses in the existing wireless deployments, Cisco provides an RCM solution.
Fig #1: RCM Cisco Solution
Random Mac Identification and Client access
Cisco solution Identifies the random mac usage and provides visibility for easy detection of issues and troubleshooting on WLC and Cisco DNA Center.
Cisco Catalyst 9800 can classify the device on the network using its Universally administered address (BIA) or Locally administered address (RCM) which helps administrators to distinguish between both mac addresses. Random MAC address is identified by a bit which gets set in the OUI portion of a MAC address to signify a locally administered address. The below picture depicts how to identify the locally administered mac address.
Fig #2: Random MAC Identification
In addition, Cisco 9800 wireless controller also provides the ability to control the client joining WIFI Network using RCM address. This is enabled through a configuration option to allow/deny RCM clients. When this configuration is enabled, then any client using the randomized changing MAC RCM (Locally administered MAC address) will not be able to join that wireless network.
MDM (Mobile Device Manager)/ISE BYOD Integrations:
MDM solution provides a unique device identity when the mac address of the device is randomized and changing. When the endpoint connects to the network using randomized MAC address, MDM compliance check and other security controls fail because of unrecognized random MAC addresses as device identifiers. This solution provides a unique identity to the device based on EAP-TLS which is known as DUID (Device Unique ID) solution.
◉ This solution relies on the MDM (Mobile device manager also referred to as Device managers, Unified Endpoint Managers (for example Ms Intune, Mobile Iron) which manage devices in an enterprise infrastructure.
◉ ISE provides the provisioning of the device with the device’s unique ID-based (DUID) certificates.
◉ The device presents this certificate during TLS based authentication ISE authorizes the devices and also reads the unique ID from the certificate.
◉ The device unique ID (DUID) is used for compliance check with MDM servers and also a unique identifier of the device in the endpoint table.
◉ The randomized MAC will not matter as now the device has a DUID using the ID in the cert.
◉ Since ISE has the mapping of the DUID and the random MAC and it can share this information in two ways
◉ Through pxGrid as part of session information where Cisco DNA Center is the pxGrid subscriber.
◉ WLC gets the client info from ISE as part of VSA access-accept, this info is sent to the Cisco DNA Center.
Fig #3: Device Unique ID MDM Flow
The same use case can be implemented through ISE as part of BYOD workflow as ISE can generate DUID during the BYOD process.
DNA Center visibility, Troubleshooting, Usage tracking for RCM
Fig #4: DNA Center RCM Client Dashboard
Using Cisco DNA Center, we will be able to track, troubleshoot and see where the random macs are being used in the network. For the devices using random mac addresses, Cisco DNA Center has introduced a new icon in front of the device MAC address to symbolize RCM. Cisco DNA Center users can filter the devices with mac address as an RCM address for the IT admin to track how many clients are RCM clients in the network.
Below Cisco DNA Center screen shows the filtered RCM Clients for visibility, tracking, and troubleshooting.
Users can see the visibility of the client DUID and random MAC and also which another mac address is related on Cisco DNA Center as shown in the below in Cisco DNA Center Client 360 page.
Fig 5: DNAC RCM Client 360 View
Fig 6: DNA Center RCM Client Details
Cisco DNA Center also shows if clients are not associating to the network because Random MAC is configured not to join the network. Below client screen shows that.
Fig 7: DNA Center RCM Client Association Failure View
Future of Random MAC Solution
Cisco will pursue with IETF to have a formal working group for MAC address device identification for Network and Application Services.
Source: cisco.com
0 comments:
Post a Comment