How to Manage MAC Address Randomization in Dual SSID BYOD ISE 3.3?

ISENAC1122 · ‎04-19-2024

Context: I am currently testing a BYOD setup involving dual SSIDs using Cisco ISE 3.3 for mobile devices. The configuration process begins with an open SSID, followed by a secure SSID connection via TLS once the profile and certificate are retrieved from ISE.

Certificate Configuration: The certificate template includes both the GUID and MAC address, ensuring that the certificate issued by ISE contains these fields.

Issue Encountered: The challenge arises with MAC address randomization. For instance, an iPhone may connect to the open SSID using one MAC address and then switch to a different MAC address when connecting to the secure SSID.

Specific Problem: This becomes problematic when attempting to manage device statuses such as marking a device as stolen or lost in my device management portal. The portal only recognizes the MAC address used for the initial open SSID connection, which complicates the security measures for the subsequent secure SSID connection.

Question: How can I address this issue of MAC address discrepancy in dual SSID configurations, particularly when dealing with security protocols and device management? Is there a way to configure the device or ISE settings to recognize or adapt to MAC address randomization?

I appreciate any insights or suggestions from the community. Thank you!
NOTE: I am not using AD here; instead, I am using LDAP.

Leo Laohoo · ‎04-19-2024

Randomized and Changing MAC Deployment Guide

Random MAC Address - How to deal with it using ISE