Random MAC addresses
A random MAC address is a locally administered hardware address that
-
is generated by a device (instead of assigned by the manufacturer),
-
helps protect user privacy by making device tracking more difficult, and
-
can be permitted or denied on wireless networks through controller settings.
Random MAC address denial
Wireless clients traditionally use manufacturer-assigned, globally unique MAC addresses (burn-in addresses) for network association. Devices may also use locally administered, random MAC addresses for Wi-Fi operations to improve privacy. Network administrators can deny access to these clients using this feature.
Beginning with Cisco IOS XE 17.5.1, access controllers can block clients with random MAC addresses using the local-admin-mac deny feature. This feature is disabled by default.
 Note |
This feature is not supported on Cisco Wave 1 access points. |
Example: Denying Random MAC Address Clients
When the local-admin-mac deny knob is enabled on the controller, a client attempting to join the network with a random MAC address is rejected, preventing unauthorized or untraceable devices from accessing the wireless network.
For example, a phone may use a new random MAC address whenever it joins a public Wi-Fi network, which prevents tracking by Wi-Fi infrastructure or third parties.
Configure random MAC address denial (CLI)
Prevent unauthorized or random MAC devices from associating with your WLAN by enabling the random MAC address denial feature on your wireless controller through the CLI.
To stop the entry of clients with random MAC addresses from joining a wireless network, enable the random MAC address deny knob by following these steps.
Procedure
|
Step 1 |
Enter global configuration mode. Example: |
|
Step 2 |
Configure the WLAN policy profile. Example: |
|
Step 3 |
Shut down the WLAN. Example: |
|
Step 4 |
Enable the random MAC address deny knob. Example:Use the no form of this command to disable the feature. |
|
Step 5 |
Enable the WLAN. Example: |
|
Step 6 |
Save the configuration, exit the configuration mode, and return to privileged EXEC mode. Example: |
Devices using randomized MAC addresses are prevented from joining the specified wireless SSID.
Verify denial of clients with a random MAC address
To verify the denial of a client with a random MAC address, run the show wlan name wlan-profile-name | begin locally command:
Device# show wlan name laa | begin locally
Locally Administered Address Configuration
Deny LAA clients : Enabled
To verify if a client address is a random MAC address, run the show wireless client mac-address MAC-address detail command:
Device# show wireless client mac-address 72xx.38xx.2axx detail
Client MAC Address : 72xx.38xx.2axx
Client MAC Type : Locally Administered Address
Client IPv4 Address : 192.0.2.1
Client IPv6 Addresses : 2001:DB8::71xx:27xx:a7xx:efxx
Client Username : 72xx.38xx.2axx
To verify how many random MAC clients are present in the system, run the show wireless stats client detail command:
Device# show wireless stats client detail
Client Summary
-----------------------------
Current Clients : 1
Excluded Clients: 0
Disabled Clients: 0
Foreign Clients : 0
Anchor Clients : 0
Local Clients : 1
Idle Clients : 0
Locally Administered MAC Clients: 1
Device# show wlan id 8 client stats
Wlan Profile Name: wlan-profile, Wlan Id: 8
Current client state statistics:
-----------------------------------------------------------------------------
Authenticating : 0
Mobility : 0
IP Learn : 0
WebAuth Pending : 0
Run : 1
Locally Administered MAC Clients : 1
Note |
Run the show configuration wlan wlan-name command on an AP, to view the status of the locally administered address (LAA) on the WLAN. |
Feedback