Hello,
I think the important part is to be able to trace the problematic device and 'responsible party' (which could be an end user via an institution with BYOD, or an institution in the case of a managed device).
In our case, we try to use a different 802.1X inner identity for each device (including BYOD) ones, so the MAC address is generally not important to identify which specific device was in use. If, however, the user re-uses the same 802.1X credentials across multiple devices, I guess we dig in to find out the per-SSID MAC address and try to determine which one is the culprit - if that's not possible, we may have to speak to the user to get them to separate out the credentials or, if the problem was serious, cut off all devices by rescinding the shared credentials.
I agree, though, I don't think we can get into arguments about what is philosophically right as we're stuck with what people such as Apple and Google implement. I also agree that it's good to randomise a MAC address on untrustworthy networks but relatively pointless on home networks as we know who you are anyway.
The problem with eduroam is there isn't really a distinction between the two — I think the problem could occur, though, were a device is misbehaving and we can't wait for the remote institution to rescind things and speak to the user. The MAC address is probably the only practical option here, if the outer identity is anonymous - keeping the randomised MAC address consistent on a particular SSID helps here.
- Bob
--
Robert Franklin <[log in to unmask]> / (+44 1223 7) 48479
University Information Services: Network Systems, University of Cambridge
########################################################################
To unsubscribe from the EDUROAM-UK list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/WA-JISC.exe?SUBED1=EDUROAM-UK&A=1
This message was issued to members of www.jiscmail.ac.uk/EDUROAM-UK, a mailing list hosted by www.jiscmail.ac.uk, terms & conditions are available at https://www.jiscmail.ac.uk/policyandsecurity/
|