Technical Note: Issues with MAC address randomization

cmaheu · ‎09-08-2020

Description
Devices with the MAC randomization feature enabled are forced to re-register unexpectedly or unable to register.

Once an endpoint connects to the network, its MAC address is learned and stored in the appliance database. Because the appliance keeps track of devices based on their MAC address, there are two issues MAC randomization features present:

If the MAC address of a registered device changes, the appliance will have no knowledge of the new MAC address and will consider it a Rogue. This causes unexpected isolation of devices, forcing re-registration. The exception to this behavior are devices with the Persistent Agent installed.
Devices using a private MAC address (such as Android) will not be able to register. The appliance verifies whether or not the device's MAC address OUI is listed in the IEEE database. If not listed, the MAC address is considered invalid and the device will not be able to register. This function is called the "valid MAC address check" and is enabled by default.

Scope
Version: 8.x

Solution

Option 1 (recommended): Disable Mac Randomization on the host. The Captive Portal content can be modified to notify the user of this requirement.

In the Administration UI, navigate to System > Portal Configuration and modify the appropriate portal page. See Portal Configuration Content Fields - Registration in the Administration Guide for more details.

iOS 14, iPadOS 14, and watchOS 7
For instructions see

https://support.apple.com/en-us/HT211227

Available in 8.8.2 (ID 665244): Disable by applying a supplicant configuration to the device. For instructions see Cookbook recipe Disable iOS MAC Randomization.

Android (Android 10 (Q): Randomized per SSID and are persistent)
For more info on this feature see
https://source.android.com/devices/tech/connect/wifi-mac-randomization

Disable MAC Address Randomization (Android 10 instructions)
Open the Settings app.
Select Network and Internet.
Select WiFi.
Connect to the wireless network
Tap the gear icon next to the current wifi connection.
Select Advanced.
Select Privacy.
Select "Use device MAC"

The remaining options apply when the MAC randomization feature cannot be disabled on a device.

Option 2: Re-register each time the MAC address changes and the device is isolated. How often this occurs depends upon the frequency of the MAC address change.

Note:

This could cause issues with sites that limit how many devices can be registered to a single user. See section Allowed Hosts in the Administration Guide.
Disable valid MAC address check to allow devices with private MAC addresses to register. Contact Support for assistance and reference KB FD49876.

If using Host inventory of Game device registration, Vendor OUI validation option must be disabled in the portal pages.
Configuration is not persistent through software upgrades.

Option 3: Add a device profiling rule to auto-register. For instructions, refer to the Configuration section of the Device Profiler Configuration reference manual in the Fortinet Document Library.

Note:

This option does not register devices to a User and does not require the user to authenticate with the appliance.
For adapter/host record management, use the Add to a Group option in the Device Profiling rule to add device to a specific group with a lowered inactivity expiration. To set expiration timers for group, see section Modify a group in the Administration Guide.
Disable valid MAC address check to allow devices with private MAC addresses to register. Contact Support for assistance and reference KB FD49876.
- If using Host inventory of Game device registration, Vendor OUI validation option must be disabled in the portal pages.
- Configuration is not persistent through software upgrades.

Related Articles

Technical Note: Disable valid MAC address check - Internal