Deployment

Solution Guide
Overview

The MAC Randomization Challenge and Proposed Solutions

The MAC
July Randomization Challenge and Proposed Solutions
2021
The MAC Randomization Challenge and Proposed Solutions

Table of Contents
TABLE OF CONTENTS 2

INTENDED AUDIENCE 3

OVERVIEW 4

PROPOSED SOLUTIONS 5

Methods to Deliver DPSK Passphrases to Users 6

RUCKUS Solutions Summary 7

Smaller Networks 7
Medium to Large Networks 8
Medium/Large to Medium to Very Large Networks 8
RUCKUS Cloudpath 9

SMARTZONE USING CLOUDPATH EDPSK 10

Cloudpath Revisited 10
Cloudpath eDPSK Max Values and Features 11

Solution Configuration 11
Step 1 – Create the Authentication Server in SmartZone 11
Step 2 – Create the WLAN in SmartZone 12
Step 3 – Create a DPSK Pool in Cloudpath 13
Step 4 – Create a Single DPSK 13
Deliver the Passphrases Using the Tenant Portal 14
Acessing the Tenant Portal 14
Using a Cloudpath Enrollment Workflow to Create and Deliver the DPSKs 15
User Experience 16

HOW CAPTIVE PORTALS WORK 17

Using RUCKUS Controllers with Captive Portals 18
Using a Captive Portal to Distribute DPSK Passphrases 19

USING DPSKS TO MONITOR CLIENT TRAFFIC 20

Client Device Using a Random MAC address 20
Client Device Changes to a Public MAC address 21
Python Script Example 22

CONCLUSION 23

2 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

Intended Audience
This document provides an overview of how to use DPSKs to solve the MAC Randomization issue. It gives details
on how to configure SmartZone with Cloudpath eDPSK, presents several methods to deliver DPSK passphrases,
and also covers solutions for Captive Portals and traffic monitoring using DPSKs.
This document is intended for use by technical engineers with background in Wi-Fi design and 802.11/wireless
engineering principles.
For more information on how to configure CommScope products, please refer to the appropriate CommScope
user guide available on the CommScope RUCKUS support site at https://support.ruckuswireless.com/

3 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

Overview
With the launch of iOS 8 in 2014, Apple introduced a feature to protect the user's privacy in public locations.
This feature allowed the device to search Wi-Fi networks using a private, or made-up random MAC address.
Fast forward to 2020 and iOS 14, iPadOS 14, and watchOS7. Apple has taken this a step further. With these new
operating systems, Apple uses the random, private MAC address not only to search networks, but also when a
device associates to a network.
This can be a huge issue for networks, depending on how they are configured. Some of the issues that spring to
mind are:
• MAC authentication used to authenticate a device when joining the WLAN.
• MAC address block lists used when a malicious or problematic user device has been identified.
• Any MAC address bypass method, such as a MAC address-based whitelist to bypass a captive portal.
• DHCP reservation (for example MAC address aa:bb:cc:dd:ee:ff will always get assigned IP address
10.10.10.10).
• DHCP IP address pool exhaustion.
By following forums and testing their beta software, we expect Apple to further continue that trend in 2021 and
beyond, releasing a new OS that will change the private MAC address every 24 hours.
That will cause even further challenges, like breaking applications that rely on a permanent MAC address for
monitoring traffic or marketing campaigns.
The following application types might be affected:
• Traffic Monitoring – Statistics will be inaccurate if the client MAC address changes every day.
• Captive Portals – If Joe's identity is determined by his MAC address the second time he connects, the
captive portal will not be able identify him.

FIGURE 1 – M ONITORING TRAFFIC BY MAC A DDRESS AND CLIENT RETURNING TO A C APTIVE PORTAL

In fact, Android devices running version 11 developer version already have the capability to turn on MAC
changes every 24 hours, as well as computers running Windows 10.

4 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

Proposed Solutions
In a traditional WPA2 network, all users share the same passphrase. Dynamic Pre-Shared Key (DPSK) is patented
technology that enables unique PSK credentials for each user on the same network.
DPSK was developed to provide secure wireless access, while eliminating the burdens of manual device
configuration and the security drawbacks of shared PSKs.
So, to avoid most of the MAC Randomization issues, we can transition the traditional networks to authentication
using DPSKs.

FIGURE 2 – TRADITIONAL WPA-2 VERSUS DYNAMIC PSK

The proposed solution to address the MAC randomization problem uses a special DPSK type named Unbound
Group DPSK, which does not tie the client MAC address to the DPSK, and allows multiple MAC addresses to be
associated with the same passphrase. Therefore, if the MAC address change after 24 hours, the user can
continue to use the same passphrase.
The following RUCKUS products support Unbound Group DPSKs:
• Unleashed
• ZoneDirector 1200
• SmartZone Controller
• Ruckus Cloud
• Cloudpath

FIGURE 3 – RUCKUS PRODUCTS WITH UNBOUND GROUP DPSK SUPPORT

DPSK will not solve the use case where a Captive Portal needs to identify a client that is returning, since the
access to the portal is done via redirection through an unauthenticated WLAN. To solve that, the Captive Portal
needs to look for additional parameters in the redirection URL. More on that later in this document.

5 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

Methods to Deliver DPSK Passphrases to Users

Manually - An administrator creates or retrieves a DPSKs from the controller and delivers it to the client
manually, or via e-mail
Cloudpath Enrollment Workflow – A WISPr WLAN redirects the client to Cloudpath, where an enrolment
workflow creates a DPSK dinamically, and sends the passphrase via e-mail or SMS

FIGURE 4 – C LOUDPATH WORKFLOW TO DELIVER DPSK PASSPHRASE

Cloudpath Tenant Portal – When a Unit is created under a Property in Cloudpath, the associated client receives
a DPSK passphrase in text or QR code, via e-mail or SMS.

FIGURE 5 – THE TENANT PORTAL

External Captive Portal – A WISPr WLAN redirects the client to an external Captive Portal. The portal has
previously imported the DPSKs from a controller, and it sends the client a passphrase via e-mail or SMS, after the
client gets authorized
DPSK Passphrase Generator – A device, like a Raspberry Pi, where you press a button to see the next available
DPSK passphrase in text or QR code

FIGURE 6 – DPSK PASSPHRASE GENERATOR (RUCKUS PATENT PENDING)

6 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

RUCKUS Solutions Summary

Regardless of the solution deployed at customers location, support for the Group DPSK functionality is already
present. What becomes an issue is the number of devices the network operators expect to see using the
network. For Unleashed, ZoneDirector, and Cloud, the Group DPSK limitation matches up with the DPSK
limitation of the platform. SmartZone poses the problem. While Bound DPSK tops out at 25,000 per zone,
Unbound and Group share 500 “slots” per zone. While possible, this usually points to the user needing to
explore Cloudpath as a solution.

TABLE 1 – DPSK S UPPORT BY PRODUCT

Smaller Networks
Unleashed is a “Controllerless” solution in which one of the APs in the network not only serves clients but also
acts as the controller and management interface to the network. Unleashed supports DPSK for those devices
that won’t be changing their MAC addresses every 24 hours, as well as Shared (Group) DPSK and External DPSK if
the requirements call for it.
ZoneDirector 1200 is the traditional WLAN controller appliance that most people think of when it comes to Wi-Fi
network controllers. ZoneDirector 1200 also supports DPSK, Shared (Group) DPSK, and External DPSK just like
Unleashed.
While the number of APs and client devices supported differ between the 2 platforms, when it comes to the
DPSK support they are pretty similar.
The key point to know in this solution is the Shared DPSK function is tied to the number of client devices using
the network. This means that while a mobile device that changes its MAC address will appear to be more than 1
device over time, at any given time only 1 MAC address will be online to count against the capacity of the
platform.

FIGURE 7 – SMALLER NETWORKS

7 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

Medium to Large Networks

RUCKUS Cloud is an AI-enabled converged network management-as-a-service platform for managing RUCKUS
APs and ICX switches. RUCKUS Cloud supports DPSK in a couple of different ways, depending on the needs of the
network.
After creating the network, administrators then can create the DPSKs as needed by navigating to
Users/WiFi/DPSK User Credentials to manage any existing DPSK credentials or to create new credentials.
Clicking on Add DPSK Passphrase in the top menu allows for more configurations of the DPSK for each user.
When creating passphrases, administrators can also set the number of devices that can be, exactly like a shared
or group DPSK found in other solutions. That selection can either be a defined number between 1-50 or set to
unlimited. Setting this number to 1 is the same as a Bound DPSK in the other platforms, where increasing that
number or selecting Unlimited is almost like a Group DPSK in other platforms.

FIGURE 8 – DPSK CREATION IN RUCKUS C LOUD

Starting with release 21.04.12, RUCKUS Cloud added support for external DPSKs using Cloudpath.

Medium/Large to Medium to Very Large Networks

SmartZone is a controller platform that can either be a physical appliance or a virtual machine. Even though the
different platforms have different features and functions the DPSK operation of every platform is identical.
When creating the DPSK for the WLAN, simply select Internal for using DPSK managed by the SmartZone, or
External for using an external server to manage the DPSK, like Cloudpath.
When creating the DPSK for an individual passphrase, simply select Yes in Group DPSK to enable Group DPSK.
Remember, an individual or bound DPSK can only be used for a device where the MAC address isn’t expected to
change. For any device where the MAC address is expected to change every day, a group DPSK is the only
method that won’t lock out the client on day 2.
The catch with Internal Group DPSK is amount of Group DPSKs supported per zone. For code version 5.1 and
later, that number is only 500 per zone. When considering the number of devices typically seen in a zone,
depending on the network this number does not seem large

8 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

When the device counts start to exceed the limit, the solution is to switch from the Internal Group DPSK to
External DPSK (eDPSK) using Cloudpath. For clarification, Cloudpath sees and calls every DPSK a Group DPSK or
Unbound.

FIGURE 9 – SMART Z ONE PLATFORMS

RUCKUS Cloudpath
Cloudpath is a platform that delivers secure wired and wireless network access for BYOD, guest, and IT-owned
devices. One of the methods that it uses to deliver access is by utilizing DPSK, making it the perfect solution for
large networks that exceed the limits found with the internal Group DPSK.
Of all of the advantages to using external DPSK (eDPSK) with Cloudpath, the primary one is that it can handle a
lot more DPSKs, since they are stored within RADIUS instead of on the WLC. Another is that it treats all DPSKs as
Unbound Group DPSKs by design, which allows it to be a natural solution for devices using a DPSK network, but
will still be changing their MAC address every 24 hours.
Within Cloudpath, administrators can build accounts with multiple DPSKs. Since the client is identified by the
DPSK passphrase and not by their MAC address, the functionality of the network is still there, and the end users
won’t know that they are using a Private MAC address that keeps changing. More importantly, the network
operator doesn’t need the end user to manually disable Private MAC addresses on their device in order to
maintain a functional service for the end user.
Each DPSK within the account can then be assigned profiles, that when returned to the WLC, can assign different
attributes to the client, depending on which DPSK password they entered on their device when associating to
the network.
Cloudpath communicates with the controllers using standard RADIUS protocols, which allows Cloudpath to
return almost any RADIUS attribute associated with a Role Based Access Control (RBAC) type service.
DPSK’s can be created manually, or an enrollment workflow can be created that allows the end user to connect
to an enrollment SSID that walks the user to create its own DPSK, but can still include other factors (like user
credentials) to define what the network allows the end user to do.
Cloudpath 5.8 brought the addition of the Tenant Portal, which is another way to deliver DPSK passphrases, and
allow the end-user or tenant to manage their own Group DPSK as well as manage a “Guest” Group DPSK.
Unleashed, ZoneDirector 1200, SmartZone and RUCKUS Cloud support Cloudpath eDPSKs today.

9 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

SmartZone using Cloudpath eDPSK

All SmartZone platforms support WPA2 encryption using DPSK. There are two authentication modes supported
in SmartZone:
• Internal - The DPSKs are generated by the SmartZone controller and cached in the access points, but
there are scalability limits on the number of DPSKs supported. It is currently 500 DPSKs per zone.
• External - The DPSKs are generated by Cloudpath, and there are no limits for the number of DPSKs
supported
From this point on, this section will focus on the solution using SmartZone and Cloudpath eDPSKs.

FIGURE 10 – SMART Z ONE WLAN CONFIGURED FOR C LOUDPATH E DPSK

Cloudpath DPSKs can have from 8 to 63 characters, using only numbers, alphabetic, alphanumeric, printable
ASCII characters, lowercase and uppercase. The passphrase’s expiration times range from minutes to years,
unlimited or up to a specific date.
Whether it is spreading malware/ransomware across a network or establishing a MITM position in order to carry
out other attacks (which in theory could be planting malware on a device waiting for it to connect to a corporate
network before spreading) maintaining control over who, and what, is accessing the network, is more important
than ever before.

Cloudpath Revisited
By design, Cloudpath always uses Unbound Group DPSKs. There is no limit to the number of DPSKs that can be
created. The Cloudpath administrator can create multiple DPSK pools with different policies, and each pool can
be associated with one or more external DPSK WLANs created on the SmartZone controller.
Policies allow for mapping authentication requests to a set of RADIUS response attributes based on dynamic
conditions, such as a user physical location, username, or the time of day. Each policy has an associated
attribute group to define the response RADIUS attributes (such as VLAN ID, filter ID, and class).
You can manually generate DPSKs, and provide to the users the passphrases they need to connect.
You can create an enrollment workflow to generate DPSKs for the user dinamically, and to deliver the
passphrases during the enrollment.
Finally, the passphrases can also be delivered via the Tenant Portal.

10 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

Cloudpath eDPSK Max Values and Features

TABLE 2 – C LOUDPATH E DPSK M AX VALUES AND FEATURES

Solution Configuration
Step 1 – Create the Authentication Server in SmartZone
On the SmartZone UI, navigate to Services&Profiles/Authentication, the click on the Proxy (SZ Authenticator)
tab, select the desired domain and click on +Create.
Enter the following information:
• Name: Define a name for the authentication service
• IP Address: Enter the Cloudpath IP address
• Port: Enter the UDP port configured for the RADIUS service in Cloudpath
• Shared Secret and Confirm Secret: Enter the shared secret for the RADIUS service configured in
Cloudpath at Configuration/RADIUS Server/Status/RADIUS Server Setttings

FIGURE 11 – C REATE AUTHENTICATION SERVICE

11 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

Step 2 – Create the WLAN in SmartZone

On the SmartZone UI, navigate to Wireless LANs, select the desired zone and click on +Create
Enter the following information:
• Name: Define a name for DPSK WLAN
• Zone: Select the zone for the WLAN
• Authentication Type: Select Standard usage
• Method: Select Open
• Encryption Options Method: Select WPA2 or WPA-Mixed
• Algorithm: Select AES
• Dynamic PSK: Select External
• Authentication Service: Select the authentication service configured for Cloudpath

FIGURE 12 – C REATE AUTHENTICATION SERVICE

12 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

Step 3 – Create a DPSK Pool in Cloudpath

On the Cloudpath UI, navigate to Configuration/DPSK Pools and click Add DPSK Pool
Enter the following information:
• Display Name: Define a name for the DPSK pool
• Passphrase Length: Enter the passphrase length
• Characters: Select the character type
• SSID: Enter the SSID for the eDPSK WLAN configured in SmartZone
• Enforce Expiration Date: If desired, check this box and define the expiration time

FIGURE 13 – C REATE A DPSK POOL

Step 4 – Create a Single DPSK
Select the DPSK pool you just created, click on the DPSKs tab and then + Add DPSK
Enter the DPSK name at the Display Name field. If desired, change the Pre-Shared Key (PSK) and the
Restrictions settings. By default, the restrictions settings are inherited from the DPSK pool configuration

FIGURE 14 – C REATE A SINGLE DPSK

This completes the basic configuration. A client device can now use the DPSK to connect to the external WLAN
created in SmartZone. The next sections will cover the Tenant Portal and Enrollment Workflows.

13 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

Deliver the Passphrases Using the Tenant Portal

Cloudpath launched the Tenant Portal in release 5.8. To use the Tenant Portal to deliver DPSK passphrases, first
you need to create a Property. You do that by navigating to Managed Access/Property Management, then
clicking on Add Property.
After the property is created, select it, click on the Unit tab, and click on Add Unit.
Enter the following information:
• Unit Number: Define an unit number
• DPSK Secret: Enter the passphrase
• Name: Enter the user name
• Email: Enter the user's email
• Phone Number: Enter the user's phone number

FIGURE 15 – C REATE A UNIT

Click Save to finish. As soon as the unit is created, the user will receive an email and SMS message with the DPSK
passphrase and a link to access his or her tenant portal.

Acessing the Tenant Portal

The user will receive an email and SMS with the passphrase and link to his Tenant Portal.

FIGURE 16 – E MAIL AND SMS WITH DPSK PASSPHRASE AND LINK TO ACCESS THE TENANT PORTAL

14 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

The Tenant Portal includes icons to show the passphrase, a QR code, change the passphrase or device names.

FIGURE 16 – TENANT PORTAL AND QR C ODE

Using a Cloudpath Enrollment Workflow to Create and Deliver the DPSKs

An enrollment workflow can be used to create the client DPSK on the fly. This is a very simple Cloudpath
workflow, which will not install any software, certificate, or perform checks in the client device.
A workflow brings the following benefits:
• Presenting T&C for the use of the Wi-Fi network
• A method to capture the user credentials for auditing or monitoring purposes
• Automatic DPSK creation and delivery of the passphrases (using text string or a QR code shown during
the onboarding process)
A basic enrollment workflow contains only four steps:

FIGURE 17 – C LOUDPATH E NROLLMENT WORKFLOW

This document will not cover how to configure the workflow. Please consult the slide deck on the following URL
for all the details:
https://commscope.sharepoint.com/:p:/s/TechMktngSol/EfU7T5ukaAVInmdMkZRWaeAB0r0V4TEn9FiPpoA0U1
gViQ?e=M1xcoc

15 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

User Experience
A solution using DPSKs delivered by Cloudpath workflows require two WLANs configure in SmartZone. Through
the first WLAN, the user gets access to the Cloudpath portal. Normally, that’s an unsecure network. The figure
below shows what the enrollment process looks like.

FIGURE 18 – USER E XPERIENCE

After the user enter his or her credentials and get authenticated, the DPSK passphrase and QR codes are shown.
Using the passphrase or the QR code the user can now connect to the secure network.

16 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

How Captive Portals Work

Captive Portals can provide a variety of functions, including:
• Authorize network access
• Capture client information/demography data
• Redirect clients to a pre-defined web site
• Send advertisements to clients
• Collect client traffic statistics
• Create marketing campaigns

For some of those functions, such as identifying repeat visitors or collecting traffic statistics from the controller,
most captive portal solutions currently relies on a fixed, permanent client MAC address. If the client MAC
address changes every 24 hours, that poses a problem for many captive portals. For instance, the portal will
never know that it’s the same client returning to the portal (because it is seeing a new MAC address), and any
traffic aggregation per user performed by the portal back-end administration might result in incorrect data.

FIGURE 19 – C APTIVE P ORTAL AND ADMINISTRATION DASHBOARD

17 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

Using RUCKUS Controllers with Captive Portals

When working in conjunction with RUCKUS controllers, a WISPr WLAN needs to be configured in the controller.
Normally, that WLAN is open, without requiring any client authentication, and it is configured with the URL for
the external captive portal.
When the client connects to WISPr WLAN and attempts to navigate to a web site, he gets redirected to the
captive portal, where he needs to provide his credentials for authentication.

FIGURE 20 – USING A WISP R WLAN IN RUCKUS C LOUD

Besides the user credentials, the captive portal receives additional information in the redirected client URL: the
client MAC address and IP address, the client's desired URL destination, the controller IP address, access point
MAC address, WLAN ID, SSID and other parameters. It may store some, or all of those parameters for further
processing, and also to help in recognizing the client the next time he connects – without prompting him for the
credentials again.
As explained earlier, the process of identifying repeat clients by MAC addresses will fail if the MAC address
changes. The captive portal needs to use a combination of the parameters received in the redirect client URL,
plus the credentials entered by the client, to fingerprint a client who is returning.
For example, when using RUCKUS Cloud wireless networks, the portal can use the user name entered by the
client, combined with the domain_name (tenant id) and the wlanName (wlan id) parameters received in the
redirect URL:

FIGURE 21 – PARAMETERS IN REDIRECT URL FROM A RUCKUS C LOUD WISP R WLAN

18 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

An authentication server is always associated with the WLAN, therefore if a previous user name is seen using the
same wlanName and domain_name in the URL redirection reaching the portal, then it is a client returning to
the portal, because the user names must be unique in the authentication server.
Using a Captive Portal to Distribute DPSK Passphrases
The DPSKs generated by SmartZone, Ruckus Cloud, ZoneDirector 1200, Unleashed or Cloudpath can be imported
to a database in the portal administration back-end, using the APIs for each of those products.
The Captive Portal can distribute the DPSK passphrases by sending an e-mail or SMS message to the client, and
following that, the client uses the passphrase to authenticate against a WPA2 WLAN.
Because the Captive Portal is being used to distribute the DPSKs to the clients, the back-end platform can keep
track of which DPSKs were distributed to every client, poll the RUCKUS controller periodically to get the new
DPSK & MAC address association, and retrieve client traffic counters for those MAC addresses.
Finally, the platform can aggregate the traffic for all MAC addresses under the same DPSK.

FIGURE 22 – BACK - END DELIVERING DPSK PASSPHRASES AND COLLECTING DATA

19 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

Using DPSKs to Monitor Client Traffic

A wireless network configured with unbound Group DPSK ensures that when the client MAC address changes,
the client device can continue to use the same DPSK to connect to the network.
Today, some applications monitoring the client traffic (specially the ones which monetizes over the client traffic)
rely on a fixed MAC address to collect information about the client traffic.
By using some form of DPSK identity, it is possible to keep track of the DPSK and MAC address associations, and
aggregate the traffic for every MAC address tied to the same DPSK, as it is traffic coming from the same user.
In the example below using SmartZone Internal DPSKs, the User Name can be used as the DPSK identity. That
name is associated to the DPSK passphrase when the DPSK is created. Notice that even though the MAC address
changed, the User Name remains the same. That's the same device changing from one MAC address to another,
so the traffic for those two MAC addresses need to be aggregated.

FIGURE 23 – THE MAC ADDRESSES CHANGE , BUT THE DPSK (USER NAME ) DOES NOT
Client Device Using a Random MAC address
This example uses an iPhone configured with a random MAC address. It's called a Private Address in the iPhone:

FIGURE 24 – IP HONE USING A RANDOM MAC ADDRESS

20 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

It is connected to the eDPSK SSID, as shown in the SZ UI and in the API call response:

FIGURE 25 – SMART Z ONE WIRELESS C LIENTS AND API RESPONSE

The SZ UI and API response identify the DPSK using the userName attribute. Even if the MAC address changes
after 24 hours, the same DPSK will be used by the user.
Client Device Changes to a Public MAC address
While still connected to eDPSK SSID, the same iPhone is now configured to use the factory-assigned MAC
address, to simulate a MAC address change. It reconnects automatically to the same SSID:

FIGURE 26 – IP HONE USING A PUBLIC MAC ADDRESS

21 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

The User Name remains the same:

FIGURE 27 – SMART Z ONE WIRELESS C LIENTS AND API RESPONSE AFTER MAC ADDRESS CHANGE
Python Script Example
This is a bare minimum python script to demonstrate the concept. It aggregates traffic from a single DPSK
connected to a WLAN, using only one device, whose MAC address changes overtime.

FIGURE 28 – PYTHON S CRIPT RESULTS

What matters in this table is the aggregated Tx and Rx traffic. Notice that the values continue to increase after
the MAC address changes; they do not start back from zero. That's because the Python script is considering the
DPSK ID as the identity, not the MAC address itself.
You can download the script from this URL:
https://commscope.sharepoint.com/:f:/s/TechMktngSol/Epet0fowou1Ah8Uiv7dksqEB4R3tTvuiooy74u8KxdAnRw?
e=yt6meM

22 Design Guide
© 2020 CommScope Inc. All rights reserved.
The MAC Randomization Challenge and Proposed Solutions

Conclusion
Securing networks will always be a work in progress. New methods are always in development and attackers are
always looking for a way to bypass the latest method. Where most network operators struggle, especially
applicable for Wi-Fi networks, is finding the balance between what is the best methods available, the effort
(time and money) the business is willing to invest into making those methods work, and what the devices using
the network are capable of doing. Unfortunately, when that balance point is found, it doesn’t always point to
the latest and most advanced methods of securing networks.
CommScope RUCKUS is committed to helping network operators find the best possible option to secure their
networks in this ever-changing world. While offering support for the latest standards in 2021 like WPA3-
Enterprise and Opportunistic Wireless Encryption (OWE), RUCKUS also realizes that there still needs to be a
strategy for securing devices that don’t support the latest technology. DPSK is that balance point and when
combined with Cloudpath, it offers one of the best options for securing whatever Wi-Fi device that needs to
connect, no matter how limited or advanced the capabilities of the device may be.
To learn more about any of these solutions or technologies, please refer to guides that can be found in the
Technical Marketing and Solution SharePoint that can be found here (search for DPSK) and the Partner Portal
that can be found here

23 Design Guide
© 2020 CommScope Inc. All rights reserved.
 Ruckus solutions are part of CommScope’s comprehensive portfolio
for Enterprise environments (indoor and outdoor).

We encourage you to visit commscope.com to learn more about:

Ruckus Wi-Fi Access Points
Ruckus ICX switches
SYSTIMAX and NETCONNECT: Structured cabling solutions
(copper and fiber)
imVision: Automated Infrastructure Management
Era and OneCell in-building cellular solutions
Our extensive experience about supporting PoE and IoT

commscope.com
Visit our website or contact your local CommScope representative for more information.
© 2020 CommScope, Inc. All rights reserved.
Unless otherwise noted, all trademarks identified by ® or ™ are registered trademarks, respectively, of CommScope, Inc. This document is for planning
purposes only and is not intended to modify or supplement any specifications or warranties relating to CommScope products or services. CommScope is
committed to the highest standards of business integrity and environmental sustainability with a number of CommScope’s facilities across the globe certified
in accordance with international standards, including ISO9001, TL9000, ISO14001 and ISO45001. Further information regarding CommScope’s commitment can
be found at www.commscope.com/About-Us/Corporate-Responsibility-and-Sustainability.