Community discussions

MikroTik App
 
adrigo85
just joined
Topic Author
Posts: 1
Joined: Mon Apr 19, 2021 3:40 pm

Problem with Userman and Apple devices

Tue Apr 27, 2021 1:52 pm

Hi

We have deploy a hotspot with user radius un userman.

We have a lot of apple devices.

at the begining of the morning the users log on userman and they have possibilitiy of connect 3 devices, when they go out of the building and come back in a half past hour users with no apple devices login automatically and user with apple devices has to introduce again user & password

could some help us??
Thanks a lot!
 
toxicfusion
Member Candidate
Member Candidate
Posts: 267
Joined: Mon Jan 14, 2013 6:02 pm

Re: Problem with Userman and Apple devices

Sat Jul 03, 2021 6:58 am

Hi,

This could be due to Apple iOS 15 wireless security "feature" being enabled by default.

Settings >> WIreless >>. wireless privacy. Disable.

Unsure if this is the real issue, however it could be. Apple device will generate RANDOM MAC address for each new wireless network. "Privacy & Anti-spoofing" per apple. /eye roll.

Otherwise, you can adjust your userman - user profile settings for how many MAC addresses per user account...
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Problem with Userman and Apple devices

Sat Jul 03, 2021 11:34 am

Easy to check if an LAA (locally administered MAC address) is used or not. Look in your registration table or log.
In the beginning Apple used a different LAA for every connect in privacy mode. Now it seems to hold the same LAA for 24h for the same SSID network.
Android is doing the same already.

My "workaround" is using RADIUS PEAP/EAP/MSCHAPv2 as authentication. The wifi access is username based, not MAC address based.
Unsolved problem: how to inform a hotspot portal that the user is already identified and authenticated? (Fortinet does this with a RADIUS-listener to create a table of user/IP/MAC entries)

FROM http://www.noah.org/wiki/MAC_address:
locally administered address
A locally administered MAC address is similar to a LAN IP address (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16). You can make up your own locally administered address and can be sure that it will not collide with any hardware on your network that use a factory burned-in MAC address. Locally administered addresses are useful when creating virtual machines or virtual network interfaces.

The second bit of the first byte of a MAC address determines the type of OUI. If the bit is 0 then it is an OUI globally assigned by the IEEE; if the bit is 1 then it is a locally administered MAC address.

Create a OUI by whatever scheme you like, then logically OR it with 02:00:00:00:00:00, and then logically AND it with fe:ff:ff:ff:ff:ff, and you will have a locally administered address. The first OR pattern sets bit 2 of the first byte; the second AND pattern clears bit 1 of the first byte (unicast, not multicast).

The following MAC address pattern satisfies the OUI requirements:

4e:4f:41:48:00:00

SEE also : viewtopic.php?f=7&t=160748&p=825959&#p825731

Who is online

Users browsing this forum: No registered users and 5 guests