As some may know, APPLE and Android have the Random MAC (or as it is known PRIVATE ADDRESS) function enabled by default. This has caused several problems in my company that manages hotspot of several clients and that have Mikrotik as a router.
I have not found, here or anywhere on the internet, a solution other than to manually disable the Private Address function on Apple Devices.
With that in mind, I ask: Has anyone here already managed to solve this problem so that it is not necessary to inform the customer that he needs to disable this function on his Iphone or Android?
An article addressing the subject of random MAC:
https://wifinowglobal.com/news-and-blog/new-private-wi-fi-address-iphone-feature-could-severely-impact-the-wi-fi-industry-expert-says/
This is really a problem which is not solvable if device deliberately changes its identity between connections. The only solution here is the device user must re-login every time the connection is made… possibly every time it goes back from sleep. However, the current implementation seems to be reasonable: MAC address is randomized only once per given SSID so after the user logs in to the hotspot they can be identified. This makes sense as MAC randomization aims to prevent cross-network tracking rather than intranetwork tracing.
Cisco prepared a nice document regarding this: https://www.cisco.com/c/dam/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/tech_notes/Cisco_DNA_Center_Randomized_MAC_QA.pdf (and it’s free without any additional licenses… what a steal! ;))
My take on this is stop using MACs to identify clients. They should never be used for such purpose. Marrying the device MAC to a user is an annoyance since the early days of ethernet and was easily circumvented. Unless I’m missing something if you’re using WPA2/3-Ent or login portal nothing really changes as you authenticate the user based on credentials rather than the device user uses. One of my universities had a rule stating that all students need to register their new devices before they join the network… on top of WPA-Ent tied to SSO. Well, they recently dropped that nonsense with just WPA-Ent SSO left in place.