Page 1 of 5 123 ... LastLast
Results 1 to 10 of 47
  1. #1
    Untanglit
    Join Date
    Jan 2022
    Posts
    22

    Default iphones keep changing mac (wifi) address so kids policies are not enforced

    I finally figured out why my kids iphones keep escaping my policy enforcement and blocking.

    My setup:
    Basically I have
    kids phones tagged with a username in devices panel, example kids-name.
    firewall rule for kids set up to block all internet traffic.
    policy manager set up with logic like : username = *kids* time of day= ___, etc.
    if matches policy, then kids are blocked properly.

    So this works great for days (more or less), which tells me I have everything setup fine.

    All of the sudden nothing gets enforced on the kids iphone (at the same time the kids devices such as chromebooks are getting enforced fine). So clearly the iphones are doing something to escape the policy.

    I have concluded that it is due to them switching mac address on the network(s), which then means they appear as a different mac address and they are no longer tagged with the proper username. I need to stop this.

    when it happens is:
    1. if they enter the untangle contrlled newtork a different wifi or vlan. that changes the address in device panel. I go and manually tag the new address and policies are back to getting enforced.
    2. If iphones have "private address" turned on on the iphone it changes wifi address every time iphone is powered on/off or simply when private address is toggled. Same end result as #1 above.

    How do I stop this. I can't go down and tag the new mac address with their usernname every time it changes?
    If it is not possible to force the iphones to have only one username, I need to know how to set up Policy Manager (not with username) to make the desired behavior work.

    Thanks.

  2. #2
    Untangler
    Join Date
    Sep 2019
    Posts
    57

    Default

    Wow I have the same issue at a friends house with all their Apple devices and the settings for private MAC addresses is easily toggled by the device owner bypassing all their rules. I did find this article from Cisco:

    https://community.cisco.com/t5/secur...e/ta-p/4049321

    I was thinking about writing a rule that would block a randomized MAC address in the firewall app but it doesn't seem to take kindly to regular expressions which is the solution in the Cisco article.

    How has others addressed this? Looking though the rules pattern for MAC addresses it looks like the Glob match may work.
    Last edited by RonV42; 02-19-2022 at 10:37 AM.

  3. #3
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,655

    Default

    This is default behavior of the iOS to prevent tracking. Rotation MAC addresses are a feature of iOS and Android but is on by default on iOS.

    https://www.techrepublic.com/article...and-ipados-14/

    Like HTTPS limiting inspection, this is the future. MAC addresses were never 100% reliable and now they are never reliable. If you have MDM on those devices, you can control its ability to rotate the MAC address. Otherwise, the need to have the device sign-in on every connect is needed.
    Last edited by jcoffin; 02-19-2022 at 10:38 AM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untangler
    Join Date
    Sep 2019
    Posts
    57

    Default

    Yes understood been battling it for a year on my friends Apple devices. Do you think a Glob match may work to identify the randomized OUI? For a simple rule, any MAC address’ first octet that ends 2,6,A,E would be a random MAC address. Here is what I was thinking of making a total of 4 rules to add for 2,6,A,E

    random mac block.png
    Last edited by RonV42; 02-19-2022 at 10:45 AM.

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,655

    Default

    Using wild card match defeats the purpose of identify the device as any device could have those MAC addresses. MDM or maybe using VPN within the network. I see captive portal more useful in this case but a chore for users.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untanglit
    Join Date
    Jan 2022
    Posts
    22

    Default

    So what I'm hearing is that any hopes of using Untangle to manage kids devices, is not going to work? Unless I have some type of hotel style login (captive portal) every time they need to use the web? Neither them nor I is going to tolerate that. Which means that unless I want to "cut the internet off" for every user of the network, I can't segregate any devices reliably using untangle?

    I converted to Untangle (from using Circle for this function) thinking it could be an acceptable substitute for Circle. It works somewhat well for this until the moment the user switches addresses, which can be at the toggle of a switch on their device. I hate to go back to Circle, but that seems like where I'm headed.

  7. #7
    Untangler
    Join Date
    Sep 2019
    Posts
    57

    Default

    I think Cisco did the leg work in the article I linked to the 2nd number of the first octet gives away that it's random based on that the locally administered bit is set. Yes this rule would intercept anything with a LAA but I wouldn't expect to see much of them in the wild or inside of the home except for Apple, Android, Windows that have generated random MAC's. I am going to try some tests in my home lab and report back.

    Just for more info I created 50 virutal interfaces on a raspberry pie since they would be locally administered and all had a "2" as the second number of the first octet. I did like the recomendation for redirection to a web site that instructs on how to disable random mac but this would take a heck of a lot more work that just blocking and having the father of the kids taking the device and turning random macs for access.
    Last edited by RonV42; 02-19-2022 at 10:58 AM.

  8. #8
    Untanglit
    Join Date
    Jan 2022
    Posts
    22

    Default

    This is pretty far beyond my understanding, other than you might be saying there is a way to match a random address based on some changing characteristic in part of the mac address.

    If you figure out something, please let me know what policy manager rule might be used to identify those devices.
    Thanks

  9. #9
    Untangler
    Join Date
    Sep 2019
    Posts
    57

    Default

    Yep, I am poking around with two approaches one just to block the access though a block all policy based on the random mac address and then having the kids father "fix" the wireless profile on the apple devices not to use a random mac. The other would be a static captive portal page that says "fix your darn device, until then no internet for you!".

  10. #10
    Untanglit
    Join Date
    Jan 2022
    Posts
    22

    Default

    This guy has a video that addresses a possible work around. it was oringially posted on another thread I have.
    https://www.youtube.com/watch?v=3g7wNFGn2rQ&t=4s

    I have no idea if this will work. Anybody have any ideas?
    dashpuppy likes this.

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2