Random MAC Address and ISE

Random MAC is recent change happened with our mobile devices . When users connect with random mac, ISE will show the end point as UNKNOWN and it will be difficult for us to do profiling. In this topic first session will be regarding the Random MAC and how to enable/disable from device. The second session will explain the configuration on ISE to handle this.

What is Random Mac

Apple’s iOS 14 has a setting that will change the way people connect and stay connected to Wi-Fi networks. While other operating systems, including Android 10, already had this feature, it has much broader implications for Apple devices because the adoption rate of new iOS versions is so much higher than on Android. Also, Apple has gone a step further with iOS 14 and added automatic randomization of the MAC address every 24 hours, whereas on Android, it stays consistent for each network after joining.

Use private Wi-Fi addresses in iOS 14, iPadOS 14, and watchOS 7

To further protect your privacy, your iPhone, iPad, iPod touch, or Apple Watch can use a different MAC address with each Wi-Fi network.

To communicate with a Wi-Fi network, a device must identify itself to the network using a unique network address called a media access control (MAC) address. If the device always uses the same Wi-Fi MAC address across all networks, network operators and other network observers can more easily relate that address to the device’s network activity and location over time. This allows a kind of user tracking or profiling, and it applies to all devices on all Wi-Fi networks.

To reduce this privacy risk, iOS 14, iPadOS 14, and watchOS 7 use a different MAC address for each Wi-Fi network. This unique, static MAC address is your device’s private Wi-Fi address for that network only.

Join Wi-Fi networks with a private address

Using a private Wi-Fi address doesn’t affect how you join or use most Wi-Fi networks. Connect to Wi-Fi as you normally do.

  • If your Wi-Fi router is configured to notify you whenever a new device joins the network, you will be notified when your device first joins with a private address.
  • If a network can’t use a private address to provide parental controls or identify your device as authorized to join, you can stop using a private address with that network.
  • Rarely, a network might allow you to join with a private address, but won’t allow internet access. If that happens, you can stop using a private address with that network.

Turn private address off or on for a network

You can stop or resume using a private address with any network. For better privacy, leave the setting on for all networks that support it.

iPhone, iPad, or iPod touch

  1. Open the Settings app, then tap Wi-Fi.
  2. Tap the information button  next to a network.
  3. Tap Private Address. If your device joined the network without using a private address, a privacy warning explains why.

Apple Watch

  1. Open the Settings app, then tap Wi-Fi.
  2. Tap the name of the network you joined. If you haven’t joined the network yet, swipe left on its name and tap more .
    The more button in Wi-Fi settings
  3. Tap Private Address.


Open the Settings app. Tap Network & Internet.
Tap Wi-Fi.
Tap the gear icon associated with the wireless connection to be configured.
Tap Advanced.
Tap Privacy.
Tap Use Randomized MAC or Use device MAC

How to enable a randomized MAC address in Android 10 - TechRepublic


Random MAC turned on devices will be shown as UNKNOWN type in ISE.

The generation of random MAC follows rules set by IEEE.locally significant address 2’s bit of first byte is set to one. Any MAC address that has locally significant bit set as one and is also a unicast address can be considered a random MAC address.

Screen Shot 2020-03-20 at 9.58.02 AM.png

So based on the rule, all of the numbers below would qualify as a random MAC address. For a simple rule, any MAC address’ first octet that ends 2,6,A,E would be a random MAC address.To Match the above MAC address first octet i created a rule on Cisco ISE with redirect to Webportal.

Note:- Below mentioned is for Deny Access + Instructions. youcan make your on policy conditions based on the project you are working on.

  1. Created a Identity Group called Random MAC address

2. Create a Hotspot Portal as mentioned below.

Selected the Previously selected End Point Identity Group

On Portal Page Customization edited the Banner Title to Random MAC Detected.

Post-Access Banner Text i changed to Random MAC detected

And the Content Area text changed to “Please change the network setting on your device to use global MAC address instead of random MAC address to gain network access.

3. Created a new Authorization Profiles which redirect all the traffic to the new portal which i created above.

4.Created a Policy to Match the Random MAC address discussed above(^.[26AEae].*) and applied the profile which i created above.

Now When user connect their devices with Random MAC turned on, they will get a redirect page as mentioned below.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s