Static Leases with Random MAC Addresses

Mobile Devices nowadays provide the means to randomize MAC Addresses.

IEFT MADINAS MAC ADDRESS (SECTION 8.5)

Curious, does anyone have any suggestions on how to maintain the WiFi MAC Address filter list when it comes to devices rolling their own MAC Addresses every 12-hours (give or take a bit)?

No, but you can define a smaller dhcp ip range for those devices that randomize mac address so that they reside outside the normal static network IP range. Then statically assign all of your non-randomizing macs. By this point you will know what IP range your random mac devices will reside in. For my case I reserve a certain block of address space specifically for my static IP clients that resides outside my small dhcp pool, then I only allow a certain amount of non static DHCP clients to connect within the small dhcp pool.

Android allows disabling random MAC for a specific SSID.

So, my phone and tablet keep static MAC in my home wlan, while using random Macs elsewhere.

6 Likes

That feature is not secure and should not be used anyway. Anyone can just set their MAC to whatever, including approved ones once they figure some out (sniffing), and there is no way to block brute forcing either so they could just sit there and try random ones out of 281 trillion possibilities until one associates. And probably a lot less (16.7M per OUI) than that if they stick to known common prefixes (Intel, Dell, Apple...) and you haven't modified all your MACs to be outside of known/valid OUIs. But really since association happens before any crypto could even feasibly occur, your clients are barking out their MACs in the clear sometimes, at least a couple probes before it encrypts each time you roam away and back in. That's mainly why things randomize now so that you can't be tracked by MAC-breadcrumbs on random public wifis, and devices no longer attempt to associate with any unknown networks by default without user command.

1 Like

Thanks for the replies, it sounds like the only approach is to use DHCP for these devices, as accessing each device is not a feasible option. I was hoping for a standardization across the first 24-bits (i.e., 77:77:77:xx:yy:zz) or the last 24-bits to indicate that it was a device using randomization.

Could you tell us what you're trying to do?
To be more specific: For what reason is it important for you to have static DHCP leases?

If it's about blocking specific devices from using the wifi, maybe go for enterprise wifi and use different credentials (username+password) per device. This way you can just revoke a set of credentials and be done.

If it's about port forwarding, just require those devices to not jump MAC addresses. I don't think it's particularly reasonable to have a wifi device to do privacy protection stuff by MAC switching and counteract that by trying to assign a static IP address.

It's two fold, one security, which I guess the standard I would be looking at would be something like 802.1x right?

The other reason was actually more of my OCD. With an enterprise solution, would it be possible to continue to satisfy this desire of static IP leasing via WPA3, which I'd assume would have to do with

If the device uses a consistent hostname, you can make DHCP reservations by hostname. Specify name and address and leave MAC unspecified.

3 Likes

Just switch the Ipv6 only, use NAT64 at the router, and get rid of DHCP entirely :wink:

2 Likes

I like the hostname approach. That should work out nicely.

IPv6 Only isn't a bad idea either...

Thanks for the suggestions, I think both could work but will most likely take the hostname approach.