Alan, agree on the MAC randomization problem. Is there any existing standard or proposal for the network deployments where the Network Access Control server needs to track the device with randomized MAC moving between intranet SSIDs?
About usage of physical MAC address - maybe some client systems will not have access to the physical MAC rather than just to a randomized MAC. Regards, Oleg On Mon, Jun 28, 2021 at 4:21 PM Alan DeKok <al...@deployingradius.com> wrote: > One thing missing in the current document is how to address the modern > issue of MAC address randomization. > > i.e. admins would like to ensure that only certain devices access the > network. But with MAC address randomization, it's difficult to have a > static device identifier. Even client certificates can be installed on > multiple machines, if they're just sent to the user. > > Would it be worth adding a note that systems SHOULD implement RFC 6677 > channel bindings to address this issue? And that the Calling-Station-Id > inside of the channel bindings MUST be the actual physical MAC, and not the > public / randomized MAC? > > I've seen this problem more and more in customer deployments. It's > becoming a serious security issue. > > Alan DeKok. > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu >
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu