I'm also seeing issues when I'm in a hotel, which gives me login data and restricts usage to a few devices per room. This is going to be FUN
Printable View
I'm also seeing issues when I'm in a hotel, which gives me login data and restricts usage to a few devices per room. This is going to be FUN
Well, if you have some measure of control over the devices then you can disable the feature in a hotel. Oh, the irony...
In a broader context, I can see Captive Portal getting used for terms and conditions. "To access the network, you agree to shut off private network addresses."
Oh look... yet another reason to never support Apple devices.
Oh yes it is, because that's what it's going to take to make this sort of thing change. This is Apple's Wifi Sense...
But on a practical note, this all boils down to how the MAC address is generated. If Apple is randomizing within their assigned MACs only, that is to say the Apple MAC prefix is still intact. Then MAC addresses can still be reliably used to identify an Apple device. The user agent string from their browser will allow you to know it's an Apple Mobile device. And if you want to identify a specific user beyond that, Captive Portal or VPN to positively ID them. MAC address based authentication has always been a poor choice for a host of reasons, Apple just made a new one.
I'm just going to get my popcorn, because wait until you have two Apple devices decide to use the same MAC address... Or for a network to run out of DHCP leases because a few devices got wonky connections and reconnected with a different MAC each time, eventually exhausting the address pool... Which yeah, with IP inflation comes a blown Untangle license too. Though honestly I'm far less concerned about the latter. Untangle knows crap happens here, and they've had a good eye for it all along.
P.S. https://source.android.com/devices/t...-randomization
My Pixel 3a is already doing this... I haven't noticed anything floating on my LAN here... I'm going to have to take a closer look now. Anyone else out there using Android 10, take a look... this junk is active for you too.
*Edit*
My Android 10 device uses a unique MAC address for each wifi network I have, since I have 3 broadcasting I connected to all, and yes my phone used "three" UT licenses while doing that. The three MAC addresses used do not change even if I forget the network. So it appears the Android 10 implementation is such that a phone's max MAC address presentation is limited to the number of wireless networks. Which is to say, a given mac is effectively static for a given network.
So yeah... this is the new normal... fun.
As I haven't tried the ios14 beta yet (would have to be on production devices) I can't tell what'll happen. But I'm most concerned about the licensing as I have home and already have half of the devices of the 50 (even most of them not being active most of the time (VM's etc) but counting as device).
Also dhcp leases getting full depending on lease time.....
All this sucks and the only solution I see is to turn this off on each ios device for our network(s).
That is what I will do at both home and work. In my case, this privacy-through-obfuscation feature inflicts more harm than it does good.
Except, I'm undecided about the guest network at home. Any licensing or DHCP damage (DHCP damage will be limited to the guest network, but not licensing damage) caused by this privacy feature will already be done before people hit Captive Portal, and I'm reluctant to insist that guests modify their device settings; that's a can of worms.
Yeah, simply activating the CP burns a seat in UT licensing land.
HomePro users, please remember your license doesn't have a device limit, these issues would be borne on the business users not the Home users.
I need to do some more digging, but I have two Android 10 devices here that have apparently been playing this game for over a year now, and I haven't seen any license creep. If iOS goes full retard and presents a new MAC every single day, that's still not going to muck up your licensing much, because Untangle only sees 1 device, when it's connected and it'll go when the user leaves.
The mobile device would have to swap it's MAC address multiple times a day to burn multiple licenses in a way that would cause a problem. This can only happen if you've got multiple SSIDs behind the same Untangle. And the license burn would max out at the number of devices * number of SSIDs broadcast.
I'm not sure how much of a real concern that is... it's not often that you see a wireless infrastructure built such that you have to keep hopping onto different SSIDs, that junk tends to annoy users to no end. Which generates annoyed phone calls... and no one wants those... This is the network equivalent of signing up to work the lost luggage counter at the air port... bad idea!
Any organization with a cohesive wireless infrastructure can easily avoid this. So I guess what this means is if you're using Untangle, you're probably going to want to be using Unifi behind it, or at least something equivalent now. But that's been a good idea for a ton of reasons long before now, so again I don't see much change.
This has been a big topic for a couple weeks now on a higher ed wifi-focused mailing list I use which includes participants from a few very large R1 & R2 universities. There's at least 86 messages in the thread, but it's worth sharing a few highlights (no names for privacy).
First from August 10:
Two days later:Quote:
Another update on the iOS 14 beta 4
I updated to beta 4 on the 6th. From what I can tell it appears that it is keeping it's random MAC address. In the past betas, it rotated every 48 hours, but this one seems to be sticking - I am not interacting with the device at all so the only traffic is background traffic.
And finally this message on the 14th:Quote:
Great question - I can confirm that if you "forget this network" and re-add it, it keeps the random MAC address it had before.
I also tested doing a reset of the network settings.
When you reset the network settings (General -> reset -> reset network settings) it re-generates a random MAC address.
So you'll see a different MAC
So we get a reprieve from the worst of this, at least for now. I'm not looking forward to unique MACs on each of my networks for a single device, but I can cope as long as they're reasonably stable.Quote:
In this case, Apple is listening. Not sure if to Educause, but they have had sessions with wireless managers and engineers (myself included, after complaining to our local account manager) from different verticals about the rather radical impact this *could* have as it performed in earlier betas. Eventually, what they are trying to do will become standard, but the industry and business customer base needs to evolve into it in a way that doesn’t shock the collective system.
I have four SSIDs, each covering a separate area/zone of the campus (North, South, East, and West).
We're just big enough I don't want everyone in the same subnet/wireless broadcast domain, but not big enough I've been able to afford equipment capable of using 802.1x+RADIUS to split users into separate vlans for a single SSID in a user-friendly way. The good onboarding solutions for 802.1x are super expensive, and we're rural enough I can't count on campus visitors having cell service (curse you, AT&T. Your coverage map here is LIES) for the cheaper options.