Guest

Preview Tool

Cisco Bug: CSCvv71694 - IOS 14 and Android 10 Mac randomization may disrupt BYOD, profiler, and MDM flows

Last Modified

Oct 08, 2020

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

2.6(0.907) 2.7(0.902) 3.1

Description (partial)

Symptom:
Cisco Identity Services Engine (ISE) services that use MAC address lookup might fail with Android 10 and Apple iOS 14 devices due to the use of MAC address randomization on the mobile client devices, which could result in unexpected network connectivity disruption for these devices.


MAC address randomization impacts these ISE services that rely on mapping of a single MAC address for a given device:

Bring Your Own Device (BYOD) - The MAC address of the client at the time of BYOD onboarding is embedded in the certificate that is returned to the client. Due to this, a dual-SSID flow using MAC-in-SAN or BYOD_is_Registered condition will fail as the MAC address between the onboarding SSID and the secured SSID is different. This is also true for single-SSID flows for devices that are upgraded from a previous version of iOS to iOS 14 (single-SSID flows for devices upgraded to Android 10 are unaffected) as the MAC address randomization is enabled by default on all SSIDs on the device.

Profiling - Certain profiling policies rely on vendor Organizationally Unique Identifiers (OUIs) which will no longer match. Randomized MAC addresses utilize a custom range for OUIs that is not unique to specific vendors.

Mobile Device Management (MDM) - MAC address lookup to MDM providers will fail as the MAC addresses that ISE has learned from RADIUS are only applicable to a specific SSID.

ISE Endpoint DB - The endpoint DB will grow over time as random MAC addresses populate the DB. ISE is limited to 2.5M endpoints in the DB with a fully distributed deployment. If this limit is exceeded, ISE system performance might be affected.

Conditions:
Google Android 10

Randomization is enabled by default.
When a user upgrades from a previous version of Android to Android 10, the saved Service Set Identifiers (SSIDs) will stay configured without randomization.
Randomization can be set up per network profile (SSID).
Once a random MAC address is used for a given network profile, the mobile device will continue to use the same random MAC address even after the user deletes the network profile and recreates the SSID/network profile.
For more information on Android MAC randomization, see Privacy: MAC Randomization.


Apple iOS 14, iPad OS 14, watchOS 7

Randomization is enabled by default.
When a user upgrades from a previous version of iOS to iOS 14, the randomization will be enabled for all of the existing SSIDs.
Randomization can be set up per network profile (SSID).
Once a random MAC address is used for a given network profile, the mobile device will continue to use the same random MAC address even after the user deletes the network profile and recreates the SSID/network profile.
For more information on iOS MAC randomization, see Use private Wi-Fi addresses in iOS 14, iPadOS 14, and watchOS 7
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.