There’s an endpoint cleanup interval configuration in cluster-wide parameters, although I’d recommend reaching out to someone at Aruba (or your NAC provider to ask how they recommend dealing with some of these new changes).
tim From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Tuesday, July 14, 2020 at 12:31 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... For those of us using ClearPass to authenticate users to eduroam, does this mean that every iOS device will get registered as a new endpoint every day? For others, does your NAC store a client's MAC persistently? I'm assuming that the answer to both is yes. How can we plan for the impact of that on our databases? Should we delete all iOS and Android devices after 48 hours? Am I missing something obvious? Jonathan Miller Senior Network Analyst Franklin and Marshall College On Fri, Jul 10, 2020 at 4:37 PM Enfield, Chuck <cae...@psu.edu<mailto:cae...@psu.edu>> wrote: PS – My plan for supporting our guest network will be to tell any user who contacts us with an Apple device that the network is fine and they should contact Apple for device support. I can’t get away with that for our enterprise network, but Apple is going to own the guest problem. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Enfield, Chuck Sent: Friday, July 10, 2020 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... My point wasn’t to debate Passpoint either. I’m wondering if Apple actually has a plan, and if so, if they’ve bothered to tell anybody. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Friday, July 10, 2020 4:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Passpoint is not just about mobile network operators. Any identity provider can provision a Passpoint profile. That is the whole drive behind OpenRoaming. The industry goal is that every user has at least 2 Passpoint profiles on their devices: one tied to their enterprise/school identity and the other tied to a personal identity. The traditional enterprise/school onboarding process stays largely the same, except some additional Passpoint logic is added. Mobile network operators / cell providers are only one (optional) piece of the puzzle. Probably should start a separate thread for anything deeper on Passpoint beyond it being a solution for network access. Don’t want to take away from the OG conversation. tim From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, July 10, 2020 at 16:17 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Understood, but few Wi-Fi operators actually support Passpoint on their networks. Since Apple is eliminating the alternatives, they either must be idiots (my bet) or have a proposal for what we should all being doing instead. I still get really confused looks when I try to discuss Passpoint with my contacts at the major cellular providers, so it can’t possibly be a realistic option for most of us. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Friday, July 10, 2020 4:07 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... Not sure I follow. Passpoint is an industry-wide solution for secure Wi-Fi roaming. Passpoint has been supported on iOS and macOS (along with Windows and Android) for a number of years. I definitely don’t follow this comment: “you can’t onboard your Apple to enable identity-based auth.” tim From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, July 10, 2020 at 16:04 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... So you can’t use an Apple MAC address for guest auth, and you can’t onboard your Apple to enable identity-based auth. Apple must be thinking that they can drag the entire world, kicking and screaming, into federated authentication that Apple products ship knowing how to do (Passpoint, openroaming, etc.). Do they have a proposal for this that I missed? From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Rios, Hector J Sent: Friday, July 10, 2020 2:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] MAC Randomization, a step further... Apple is moving forward with their privacy efforts. The next step is to randomize MAC addresses when connecting to an AP, not just when probing. This is coming soon. https://globalreachtech.com/blog-mac-randomisation-apple/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fglobalreachtech.com%2Fblog-mac-randomisation-apple%2F&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C415d2e7575fd4acc4d5808d828136b02%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637303411156227403&sdata=uQGvRtNmwl4eDSt%2Bp3EyMDTQDTPh66MlQvI6%2BG0zmy0%3D&reserved=0> This is from Apple. Luckily, there is a way to disable private addresses. I just don’t know if it will be ON by default. https://support.apple.com/en-qa/HT211227<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.apple.com%2Fen-qa%2FHT211227&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C415d2e7575fd4acc4d5808d828136b02%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637303411156237358&sdata=nlczjDOqDPw89SaohhqUUPL8HJOxq0T99A4h9egBqlo%3D&reserved=0> Happy Friday! Hector Rios, Wireless Network Architect The University of Texas at Austin ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C415d2e7575fd4acc4d5808d828136b02%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637303411156237358&sdata=syCppTjD0nc5UXqTe7ZQLeVugy6og%2B2G8kGVwWOIxJI%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C415d2e7575fd4acc4d5808d828136b02%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637303411156247318&sdata=pkfnnFiUbM9Z8%2Fq09KEs3WKkFIKtIGLTFvOu3boAjQM%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C415d2e7575fd4acc4d5808d828136b02%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637303411156247318&sdata=pkfnnFiUbM9Z8%2Fq09KEs3WKkFIKtIGLTFvOu3boAjQM%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C415d2e7575fd4acc4d5808d828136b02%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637303411156257276&sdata=VCHnc%2BQ040lwScP35GZOstBZU%2FSxWeuV1gVwOlclXuQ%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C415d2e7575fd4acc4d5808d828136b02%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637303411156257276&sdata=VCHnc%2BQ040lwScP35GZOstBZU%2FSxWeuV1gVwOlclXuQ%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C415d2e7575fd4acc4d5808d828136b02%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637303411156267232&sdata=3LItsdwlIWDsDcye5L%2BXdZjuijez9qucr9YkRopDNpY%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C415d2e7575fd4acc4d5808d828136b02%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637303411156277180&sdata=bXIW2Y3WkA327dkBxMubyOisaJNHtN5u2lCS5ODMu6c%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C415d2e7575fd4acc4d5808d828136b02%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637303411156277180&sdata=bXIW2Y3WkA327dkBxMubyOisaJNHtN5u2lCS5ODMu6c%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community