So when using BLUE you have to add Wifi devices as they connect to the network, I think this is default behaviour, at least I did nothing to change that.
You adding the MAC address in the menu for this in
wiki.ipfire.org - Blue Access
But how do you solve MAC filtering when this anonymization of MAC addresses needs to be active, at least as recommended security measure… ? Is there any other way?
Ehm, never mind.
It is a per network setting. Connection to Wifi A can use hardware address while connection to Wifi B uses a randomized one.
I thought it was a global setting.
Answer in short: no.
You need some sort of identification. This in the ethernet based area ( 802.11 belongs to it ) the MAC address.
If there is another unique id which can be used, the concept of security with MAC anonymization is useless, IMO.
this is also a news related to this issue.
That was actually what spurred my question, after reviewing some of my settings for this.
Since Android, and Windows, also have this functionality, albeit perhaps without the issues depicted in the article, I found it necessary to check how this actually works.
I’ve always wondered about the same thing.
And not only an issue for Blue Access but also for Firewall Rules. How do I block something that is always changing?!?
Jon, is a per network setting in the device.
You never need to block what you do not want in, only allow what you recognize, but , as I understand it, once you let a device with a randomized MAC in, it will hold the same MAC for that network. It will not change again.
Device A on Network A will always show MAC A.
On Network B it will show MAC B.
On Network C it will show MAC C.
You should be able to verify this by looking at the MAC, as I did, on different connected networks and check if it changes from one connected session to the next.
Hmmm… I’ll have to check this out. It doesn’t sound right to me. I currently have 28 expired
dynamic leases and if the above was true, then I would have much less.
I know if the second character from the left is
e then that is a randomized MAC. And 13 of those expired
dynamic leases are randomized MAC.
Anyway, time to experiment!
This is so cool - it does stay the same! I learned LOTs of new stuff today!
@jon , could you please specify the source of your table.
This could be an interesting information for the wiki.
I do not know anything about the website or the info. in other words I did not confirm my sources…
Thankyou very much for verifying and providing some docs to support and inform about it.
@bbitsch Yes, absolutely to the wiki. I am sure it may help others when pondering the same questions.
What a great Monday morning reading about this…!
BTW Arista is a major actor in networking and Firewall products in the US, among other places…
Arista Networks (formerly Arastra) is an American computer networking company headquartered in Santa Clara, California. The company designs and sells multilayer network switches to deliver software-defined networking (SDN) for large datacenter, cloud computing, high-performance computing, and high-frequency trading environments. These products include 10/25/40/50/100 Gigabit Ethernet/200/400/800 low-latency cut-through switches, including the 7124SX, which remained the fastest switch usi In 198...
Arista Networks was founded to pioneer and deliver software-driven cloud networking solutions for large data center storage and computing environments. Arista’s award-winning platforms, ranging in Ethernet speeds from 10 to 100 gigabits per second,
They even have their own OS for appliances and I was pondering signing up for them before I found IPFire.
The complete table contains a row “SSID Profile Forget and Reconnection”, which shows a significant difference between smartphone OSs and Windows. Windows generates a new MAC!
Therefore using the feature with mobile devices may be OK, but beware to use it with Windows clients.
Thanks for pointing that out.
That would only become an issue if people clean/forget their Wifi connections periodically, or if a GPO or similar policy is in place to do that.
Other than that particular circumstance I see no reason for concern.