Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25
  1. #11
    Master Untangler
    Join Date
    Jul 2018
    Posts
    139

    Default

    I'm also seeing issues when I'm in a hotel, which gives me login data and restricts usage to a few devices per room. This is going to be FUN

  2. #12
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    Well, if you have some measure of control over the devices then you can disable the feature in a hotel. Oh, the irony...

    In a broader context, I can see Captive Portal getting used for terms and conditions. "To access the network, you agree to shut off private network addresses."

  3. #13
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,033

    Default

    Oh look... yet another reason to never support Apple devices.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #14
    Master Untangler
    Join Date
    Jul 2018
    Posts
    139

    Default

    Quote Originally Posted by sky-knight View Post
    Oh look... yet another reason to never support Apple devices.
    Not a solution.....
    jcoffin and niwrik like this.

  5. #15
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,033

    Default

    Quote Originally Posted by manilx View Post
    Not a solution.....
    Oh yes it is, because that's what it's going to take to make this sort of thing change. This is Apple's Wifi Sense...

    But on a practical note, this all boils down to how the MAC address is generated. If Apple is randomizing within their assigned MACs only, that is to say the Apple MAC prefix is still intact. Then MAC addresses can still be reliably used to identify an Apple device. The user agent string from their browser will allow you to know it's an Apple Mobile device. And if you want to identify a specific user beyond that, Captive Portal or VPN to positively ID them. MAC address based authentication has always been a poor choice for a host of reasons, Apple just made a new one.

    I'm just going to get my popcorn, because wait until you have two Apple devices decide to use the same MAC address... Or for a network to run out of DHCP leases because a few devices got wonky connections and reconnected with a different MAC each time, eventually exhausting the address pool... Which yeah, with IP inflation comes a blown Untangle license too. Though honestly I'm far less concerned about the latter. Untangle knows crap happens here, and they've had a good eye for it all along.

    P.S. https://source.android.com/devices/t...-randomization

    My Pixel 3a is already doing this... I haven't noticed anything floating on my LAN here... I'm going to have to take a closer look now. Anyone else out there using Android 10, take a look... this junk is active for you too.

    *Edit*

    My Android 10 device uses a unique MAC address for each wifi network I have, since I have 3 broadcasting I connected to all, and yes my phone used "three" UT licenses while doing that. The three MAC addresses used do not change even if I forget the network. So it appears the Android 10 implementation is such that a phone's max MAC address presentation is limited to the number of wireless networks. Which is to say, a given mac is effectively static for a given network.

    So yeah... this is the new normal... fun.
    Last edited by sky-knight; 08-25-2020 at 09:47 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #16
    Master Untangler
    Join Date
    Jul 2018
    Posts
    139

    Default

    As I haven't tried the ios14 beta yet (would have to be on production devices) I can't tell what'll happen. But I'm most concerned about the licensing as I have home and already have half of the devices of the 50 (even most of them not being active most of the time (VM's etc) but counting as device).
    Also dhcp leases getting full depending on lease time.....

    All this sucks and the only solution I see is to turn this off on each ios device for our network(s).

  7. #17
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    Quote Originally Posted by manilx View Post
    All this sucks and the only solution I see is to turn this off on each ios device for our network(s).
    That is what I will do at both home and work. In my case, this privacy-through-obfuscation feature inflicts more harm than it does good.

    Except, I'm undecided about the guest network at home. Any licensing or DHCP damage (DHCP damage will be limited to the guest network, but not licensing damage) caused by this privacy feature will already be done before people hit Captive Portal, and I'm reluctant to insist that guests modify their device settings; that's a can of worms.
    Jim.Alles likes this.

  8. #18
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,033

    Default

    Yeah, simply activating the CP burns a seat in UT licensing land.

    HomePro users, please remember your license doesn't have a device limit, these issues would be borne on the business users not the Home users.

    I need to do some more digging, but I have two Android 10 devices here that have apparently been playing this game for over a year now, and I haven't seen any license creep. If iOS goes full retard and presents a new MAC every single day, that's still not going to muck up your licensing much, because Untangle only sees 1 device, when it's connected and it'll go when the user leaves.

    The mobile device would have to swap it's MAC address multiple times a day to burn multiple licenses in a way that would cause a problem. This can only happen if you've got multiple SSIDs behind the same Untangle. And the license burn would max out at the number of devices * number of SSIDs broadcast.

    I'm not sure how much of a real concern that is... it's not often that you see a wireless infrastructure built such that you have to keep hopping onto different SSIDs, that junk tends to annoy users to no end. Which generates annoyed phone calls... and no one wants those... This is the network equivalent of signing up to work the lost luggage counter at the air port... bad idea!

    Any organization with a cohesive wireless infrastructure can easily avoid this. So I guess what this means is if you're using Untangle, you're probably going to want to be using Unifi behind it, or at least something equivalent now. But that's been a good idea for a ton of reasons long before now, so again I don't see much change.
    Last edited by sky-knight; 08-25-2020 at 11:43 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #19
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,849

    Default

    This has been a big topic for a couple weeks now on a higher ed wifi-focused mailing list I use which includes participants from a few very large R1 & R2 universities. There's at least 86 messages in the thread, but it's worth sharing a few highlights (no names for privacy).

    First from August 10:

    Another update on the iOS 14 beta 4

    I updated to beta 4 on the 6th. From what I can tell it appears that it is keeping it's random MAC address. In the past betas, it rotated every 48 hours, but this one seems to be sticking - I am not interacting with the device at all so the only traffic is background traffic.
    Two days later:

    Great question - I can confirm that if you "forget this network" and re-add it, it keeps the random MAC address it had before.

    I also tested doing a reset of the network settings.

    When you reset the network settings (General -> reset -> reset network settings) it re-generates a random MAC address.
    So you'll see a different MAC
    And finally this message on the 14th:

    In this case, Apple is listening. Not sure if to Educause, but they have had sessions with wireless managers and engineers (myself included, after complaining to our local account manager) from different verticals about the rather radical impact this *could* have as it performed in earlier betas. Eventually, what they are trying to do will become standard, but the industry and business customer base needs to evolve into it in a way that doesn’t shock the collective system.
    So we get a reprieve from the worst of this, at least for now. I'm not looking forward to unique MACs on each of my networks for a single device, but I can cope as long as they're reasonably stable.
    Last edited by jcoehoorn; 08-25-2020 at 02:07 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  10. #20
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,849

    Default

    Quote Originally Posted by sky-knight View Post
    The mobile device would have to swap it's MAC address multiple times a day to burn multiple licenses in a way that would cause a problem. This can only happen if you've got multiple SSIDs behind the same Untangle.
    I have four SSIDs, each covering a separate area/zone of the campus (North, South, East, and West).

    We're just big enough I don't want everyone in the same subnet/wireless broadcast domain, but not big enough I've been able to afford equipment capable of using 802.1x+RADIUS to split users into separate vlans for a single SSID in a user-friendly way. The good onboarding solutions for 802.1x are super expensive, and we're rural enough I can't count on campus visitors having cell service (curse you, AT&T. Your coverage map here is LIES) for the cheaper options.
    Last edited by jcoehoorn; 08-25-2020 at 01:36 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2