Just a Friday afternoon update ... I upgraded to Beta 4, and noticed that I was back to my physical MAC address. This was also the case when I first went from iOS 13 to Beta 3, it took a few days to start randomizing my address. I’ll keep an eye on things over the next few days and let you know what I find out.
Norman On Thu, Aug 6, 2020 at 8:05 PM Turner, Ryan H <rhtur...@email.unc.edu> wrote: > Are you referring to the serial? Would Chad be willing to post his ulang > for thr freeRadius config? > > Ryan Turner > Head of Networking, ITS > The University of North Carolina at Chapel Hill > +1 919 274 7926 Mobile > +1 919 445 0113 Office > > On Aug 6, 2020, at 5:02 PM, Philippe Hanset < > 0000005cd62f91b7-dmarc-requ...@listserv.educause.edu> wrote: > > About EAP-TLS blocking ... > > You do not need to revoke a cert (too painful indeed for operator and > user). Chad wrote a hook for the Anyroam service that identifies the > certificate’s fingerprint. So If a device misbehaves, you can just block > the device via the certificate’s fingerprint. With one certificate per > device, you end up with the same as a SIM card (or the good ol MAC address > :) > > Philippe Hanset, CEO > ANYROAM LLC > www.anyroam.net > www.eduroam.us > +1 (865) 236-0770 > > On Aug 6, 2020, at 11:29 AM, Turner, Ryan H <rhtur...@email.unc.edu> > wrote: > > > > The other issue comes in with blocking devices. On open networks/PSK > networks, this will make isolating bad devices really difficult. We have > relied on MAC address blocks for over a decade. They work very well. Yes, > you can get a determined individual that can get past/change their MAC > address. But that is going to be a tiny fraction of cases, and MAC > blocking is an effective way of blocking a bad device. > > > > We require registration for our PSK network. So the private MAC addresses > will be blocked effectively there. But we haven’t required registration on > eduroam (our primary), because we have identity in the certificate. We > chose not to use OCSP (but we can), but if we revoke a cert, we have to > also block the user from getting another certificate (2 steps, instead of > one, which is why we have stayed with MAC blocking). We could require > folks to register for eduroam, but that is such a nasty thing to do to the > users. Grrrrr. Not an easy fix. > > > > Ryan > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Enfield, Chuck > *Sent:* Thursday, August 6, 2020 11:14 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] MAC Randomization, a step further... > > > > I’ll also add that identity is what makes a private network private. Yes, > you can check identity at connection time then throw it away and still > remain private, but that’s never been an option for us when designing > services with our risk, legal and info security departments. > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Julian Y Koh > *Sent:* Thursday, August 06, 2020 10:59 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] MAC Randomization, a step further... > > > > On Aug 6, 2020, at 09:51, Enfield, Chuck <cae...@psu.edu> wrote: > > > > How can we fulfill DMCA requirements when we can’t even identify a device, > let alone the user? If you want to remain anonymous, use a different > network. > > > > IANAL, and I don’t even play one on TV, but my admittedly old > understanding of the DMCA is that it’s not necessarily mandating that you > have to be able to identify every single device on your network. Indeed, > some institutions’ responses to DMCA notices has been that they don’t have > the necessary information to be able to take action. So IMO, assuming > (which is dangerous) that I’m correct, that if MAC randomization puts an > undue burden and/or large obstacles on your ability to track down a > device/user and cut it off from the network, the DMCA alone shouldn’t be > seen as a mandate to try to disable MAC randomization. > > > -- > > Julian Y. Koh > > Associate Director, Telecommunications and Network Services > > Northwestern Information Technology > > <https://www.google.com/maps/search/2020+Ridge+Avenue+%23331+%0D%0A+%0D%0A+%0D%0A+Evanston,+IL+60208?entry=gmail&source=g> > > <https://www.google.com/maps/search/2020+Ridge+Avenue+%23331+%0D%0A+%0D%0A+%0D%0A+Evanston,+IL+60208?entry=gmail&source=g> > > > > <https://www.google.com/maps/search/2020+Ridge+Avenue+%23331+%0D%0A+%0D%0A+%0D%0A+Evanston,+IL+60208?entry=gmail&source=g> > > 2020 Ridge Avenue #331 > <https://www.google.com/maps/search/2020+Ridge+Avenue+%23331+%0D%0A+%0D%0A+%0D%0A+Evanston,+IL+60208?entry=gmail&source=g> > > Evanston, IL 60208 > <https://www.google.com/maps/search/2020+Ridge+Avenue+%23331+%0D%0A+%0D%0A+%0D%0A+Evanston,+IL+60208?entry=gmail&source=g> > > +1-847-467-5780 > > Northwestern IT Web Site: <http://www.it.northwestern.edu/ > <https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.it.northwestern.edu%2F&data=02%7C01%7Ccae104%40PSU.EDU%7Cbb94cb7e13a643e92b3c08d83a19517d%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637323227705623251&sdata=TnloADAw118uF8UF0WBRnfqL0fOJNgfjLMjQMtrTFKw%3D&reserved=0> > > > > PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html > <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbt.ittns.northwestern.edu%2Fjulian%2Fpgppubkey.html&data=02%7C01%7Ccae104%40PSU.EDU%7Cbb94cb7e13a643e92b3c08d83a19517d%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637323227705623251&sdata=YGp3QvGhzeuy4IA3ZXzhXNJlUJnQ%2FN%2Fl1Nk5tIQSakg%3D&reserved=0> > > > > > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > <https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccae104%40PSU.EDU%7Cbb94cb7e13a643e92b3c08d83a19517d%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637323227705633208&sdata=jm59TBi7zaabxgoDYBcnnb6P5feRwtGIEIMnZOaDazM%3D&reserved=0> > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
