Skip to main content

 

Cisco Meraki Documentation

Troubleshooting Meraki and MAC Address Randomization

  1. Last updated
  2. Save as PDF

Overview 

By Alexander Neduzhko

MAC randomization has become more prevalent in enterprise networks. With newer mobile devices like Apple or Android smartphones, this feature is usually enabled by default. This document covers current MAC randomization features and how these features affect Cisco Meraki devices and features. 

This document serves as a troubleshooting article for MAC address randomization issues affecting Cisco Meraki networks 

Environment 

The following environments and configurations are applicable to this troubleshooting guide: 

  • MR access points 
  • MX WAN appliances 
  • MS switches 
  • Meraki dashboard 
  • Systems Manager 
  • Location analytics 
  • Cisco Meraki Health 
  • Apple iOS 14 and later devices 
  • Android 10 and later devices 
  • Wireless SSIDs using bridge mode 
  • DHCP-enabled wireless networks 
  • Location analytics-enabled deployments 
  • Sentry Policies and Sentry Enrollment configurations

How MAC randomization affects Meraki features

Troubleshooting iOS 14 MAC randomization

Apple released iOS 14 on September 16, 2020, which included some changes to how MAC addresses are handled on iOS devices. iOS 14 introduced the MAC randomization feature which means that for each SSID, devices running iOS 14 will present a distinct randomized MAC address. This randomized MAC address for each network will not change over time, upon reconnecting to the same SSID, or when the SSID is “forgotten” in the device settings and re-joined later on. Also, toggling ‘Private Address’ on and off on an iOS 14 device will switch between the real MAC and the randomized MAC for that Wi-Fi network, but that the randomized MAC won’t change as a result of the toggle either. 

1-iOS_14_MAC_Randomization.png 

Possible causes 

  • MAC randomization is enabled by default on iOS devices 
  • The device reconnects using a randomized MAC address instead of the hardware MAC address. 
  • Users toggling the Private Address option

Troubleshooting Android MAC randomization 

Android 10+ devices support MAC randomization by default. Devices may use either persistent or non-persistent MAC randomization when connecting to wireless networks. 

Possible causes 

  • MAC randomization is enabled on Android devices 
  • Persistent randomization generating SSID-specific MAC addresses 
  • Non-persistent randomization generating new MAC addresses periodically 

Troubleshooting duplicate client IP address reporting 

Depending on the DHCP lease duration, dashboard may report IP conflicts if an iOS 14 client switches its MAC address but retains the same IP address. For example, a client device may request the same IP address using a different MAC address immediately after an upgrade. 

3-Client_IP_Conflict.png 

This behavior may trigger false-positive duplicate IP assignment alerts. 

Under certain conditions, iOS 14 may also send malformed Address Resolution Protocol (ARP) responses carrying the hardware MAC address instead of the randomized MAC address. 

Possible causes 

  • Devices reconnecting with randomized MAC addresses 
  • DHCP lease still active for previous MAC address 
  • Malformed ARP responses from iOS devices 

Troubleshooting DHCP pool exhaustion 

Apple devices using randomized MAC addresses send DHCP requests using different MAC addresses. Because many Meraki DHCP assignments are based on MAC addresses, MX WAN appliances or MS layer 3 switches acting as DHCP servers may assign new IP addresses to the same physical device. 

MX devices may therefore account for multiple IP addresses for a single iOS 14 device using MAC randomization on different SSIDs in bridge mode. 

 4.1-DHCP_Pool_Assigment.png    4.2-DHCP_Pool_Assignment.png

This behavior may contribute to DHCP pool exhaustion issues.  Lowering the DHCP lease duration may help mitigate this issue.  

Possible causes 

  • Devices requesting new IP addresses using randomized MAC addresses 
  • Multiple SSIDs assigning separate randomized MAC addresses 
  • Long DHCP lease durations 

Troubleshooting location analytics reporting 

You may notice a decrease in connected clients as devices transition to randomized MAC addresses because dashboard filters randomized MAC addresses by default. 

You may also notice a decrease in Passerby and Visitor counts because dashboard filters randomized MAC addresses for these categories as well. 

Apple devices used randomized MAC addresses for probe requests even before the iOS 14 release. 

Loyalty and engagement graphs may also be affected but should stabilize over time. 

In some situations, devices may not correctly set the locally administered bit that is commonly used to identify randomized MAC addresses. 

To classify a device as Passerby, dashboard must detect a unique non-randomized MAC address for more than one minute. When devices use MAC randomization, the MAC address used for probe requests may change multiple times within that interval. 

Dashboard excludes these MAC addresses from Location Analytics calculations and Scanning APIv2 output. 

5-Location_Analytics.png Possible causes 

  • Devices using randomized MAC addresses 
  • MAC addresses changing during probe requests 
  • Dashboard filtering randomized MAC addresses from analytics 

Troubleshooting Meraki health reporting 

Meraki health reports use MAC addresses for client tracking. When client devices use different randomized MAC addresses across SSIDs, tracking connectivity or performance issues consistently across the network or within a specific SSID may become difficult. 

Possible causes 

  • Meraki Health uses MAC addresses for client tracking 
  • Devices presenting different randomized MAC addresses across SSIDs 
  • Inability to correlate client history across networks

Troubleshooting network-wide clients page 

Devices using randomized MAC addresses may appear as new clients in dashboard. This behavior may increase the reported client count in wireless networks. 

Dashboard displays these additional entries on the Network-wide > Clients page and in Summary reports. 

Possible causes 

  • Dashboard interprets randomized MAC addresses as separate devices 
  • Devices reconnecting with multiple randomized MAC addresses 
  • iOS and Android MAC randomization enabled by default 

Troubleshooting Systems Manager Sentry policy 

Systems Manager sentry policies apply group policies based on device MAC addresses and Systems Manager tags. 

When devices use randomized MAC addresses, the MAC address available through MDM differs from the MAC address reported to the MX appliance during wireless association. 

Because of this mismatch, Sentry Policies may not apply correctly to Systems Manager devices on MX networks configured with Sentry Policies. 

Possible causes 

  • Devices using randomized MAC addresses 
  • Sentry Policies relying on hardware MAC addresses 
  • Mismatch between MDM-reported MAC and SSID association MAC 

Troubleshooting Systems Manager Sentry enrollment 

Systems Manager Sentry enrollment uses the device hardware MAC address received through MDM to determine whether a device is enrolled with Systems manager when connecting to an MR access point. 

When devices use randomized MAC addresses, the randomized MAC address reported during SSID association does not match the hardware MAC address available through Systems Manager. 

Because of this mismatch, dashboard may not identify the device as already enrolled. As a result, devices may repeatedly prompt users to re-enroll during association. 

Possible causes 

  • Randomized MAC address differs from the registered hardware MAC address 
  • Systems Manager cannot validate enrollment status correctly 
  • Devices reconnect using different MAC addresses

Steps to minimize MAC randomization with Cisco Meraki 

  • Adopt OpenRoaming as part of Cisco DNA Spaces for seamless Wi-Fi onboarding. 
  • Implement policies using MDM solutions such as Cisco Meraki Systems Manager to disable MAC randomization for company-owned or BYOD devices where organizational policy permits. 
  • Ask users to disable MAC randomization on their devices if appropriate. 

Using Systems Manager to disable MAC randomization 

Meraki Systems Manager customers can use the WiFi Settings payload to prevent iOS devices from randomizing their MAC addresses on specific SSIDs 

The steps below are demonstrated in this video on using SM to disable MAC Randomization 

  1. Create a new settings profile or modify an existing profile. 
  2. Choose + Add Settings
  3. Select the Wi–Fi Settings payload. 
  4. Select Disable MAC address randomization

Additional resources 

How to identify randomized iOS MAC addresses 

If the second character of the MAC address is 2, 6, A, or E, the MAC address is randomized: 

  • x2-xx-xx-xx-xx-xx 
  • x6-xx-xx-xx-xx-xx 
  • xA-xx-xx-xx-xx-xx 
  • xE-xx-xx-xx-xx-xx 

How iOS MAC randomization impacts networks 

If an Apple user upgrades to iOS 14 and connects to the network, the device uses a randomized MAC address. This MAC address differs from the device hardware MAC address, is SSID-specific, and remains consistent for a given SSID.\n\n> Apple has stated that MAC address rotation within a single SSID may be implemented in the future.\n\n>  

This change may affect Wi-Fi features and services across multiple products in the industry. It may also increase network load and cause operational anomalies. Meraki continues to monitor the impact of these changes and take proactive steps where possible. 

Android 10+ MAC randomization 

Similar to iOS devices, Android devices support MAC randomization when connecting to Wi-Fi networks. On Android 10+ devices, MAC randomization is enabled by default and can be enabled or disabled from the network details settings page.  

2-Android-MAC-randomization-option.png 

Android devices use one of two MAC randomization methods: 

  • Persistent randomization 
  • Non-persistent randomization 

The Android device determines which method to use when connecting to a Wi-Fi network. 

Persistent randomization 

Persistent randomization is the default MAC randomization behavior on Android devices. The device generates a persistent MAC address based on network profile parameters such as SSID or security type. 

The randomized MAC address remains the same unless the device is factory reset. Forgetting and reconnecting to the Wi-Fi network does not regenerate the MAC address because the MAC address depends on the network profile parameters. 

Android 10 and Android 11 devices use persistent randomization for all networks when MAC randomization is enabled.  

Non-persistent randomization 

Non-persistent randomization is available on Android 12+ devices. Devices may either:  

  1. Generate a new randomized MAC address at the start of each connection. 
  2. Reuse an existing randomized MAC address for known networks. 

Android devices may regenerate the randomized MAC address in the following situations: 

  • The DHCP lease duration has expired and more than four hours have elapsed since the device disconnected from the network. 
  • The current randomized MAC address is more than 24 hours old. 

MAC address regeneration occurs only when establishing a new connection. Wi-Fi connections are not actively disconnected for the purpose of MAC regeneration. 

If these conditions are not met, the device uses the previously generated randomized MAC address. 

Devices running Android 11 or Android 12 can enable non-persistent MAC randomization globally through Developer options. 

More information on Android's implementation of MAC randomization, see MAC randomization behavior

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    Stage
    Final
  2. Tags
    1. CS_12432
    2. iOS 14
    3. mac
    4. mac randomization
    5. ssid