Using MAC Filtering w/Apple's Private Address Feature

For FYI and or Discussion

Hello Community

Just thought I would post, not sure if anyone has posted on...

Using MAC Filtering w/Apple's Private Address Feature released "To improve privacy in, iOS 14, iPadOS 14, and watchOS 7"
And Apple's Recommended settings for Wi-Fi routers and access points.

In short order it prevents user client profiling & tracking across networks each time a iPhone, iPad, & Apple Watch connects to a new network, the said devices will generate a new fresh MAC address.

This applies to all routers and access points from any brand.

See Apple's
1. Use private Wi-Fi addresses in iOS 14, iPadOS 14, and watchOS 7
https://support.apple.com/en-us/HT211227

2. Recommended settings for Wi-Fi routers and access points
https://support.apple.com/en-us/HT202068

Like many of you I used MAC filtering as a extra layer to prevent unauthorized device access into my network.

After upgrading to iPadOS 14.6. I noticed a "Privacy Warning" after attraching my iPad to my network.
Which said "Private WiFi address is turned off for this network. Using a private address helps reduce tracking of your iPad across different WiFi networks."

Great for privacy! Can be a little hard on network administration using MAC Filtering.
Which by the way Apple now says as for as privacy is concerned allows for MAC spoofing and profiling as the connected device will always keep the same MAC address and assigned ip number together, giving attackers time to attack the device or track you across networks.

Now this feature can be turned on or off for each individual network SSID on the device.
Apple even states there are times you may have to turn off *Private Address.

Here's where things get sticky and can be annoying.

With Private Address turned on. Each Apple device Assigned to an SSID on your network will get a new MAC Address... maybe 2 address's!

Example say you have this scenario
Main SSID 2.4G
Main SSID 5G
Guest SSID 2.4G
Guest SSID 5G
Main 1 SSID 2.4G (Wifi Extentend Network)
Main 1 SSID 5G (Wifi Extentend Network)

In this example, for one device you could have 4 to 6 MAC Address's to manage with using MAC filtering once access has been granted.
In some cases this could become 8 to 12 Address's as each device can have two MAC address's

By that I mean this will depend on if you;
Turn on Private Address a new address will be generated and then....
Turn off Private Address the device's standard address will be used.
You will then have 2 MAC Address's.

This will allow a user on your network (in the event you would need to deny them access) to simply swith to another SSID on your network on their device unless you lock all MAC Address's down the original as well and the generated ones.

Now before you get bothered with Apple.
Android devices have hade a simular feature also. In the Android side of the house this is known as Randomized MAC Address Asigning.

The problem I had when allowing a android device to join may guest network was each time the device was turned off and on it generated a new MAC Address ....had me going for a minute. I thought the device was infected or that my router had been compromised.

So my solution to this new Apple feature was to:
-Limit or grant access to just one SSID then I would only need to manage two MAC   Address's per device..
-Turn on *Private Address per device with one address to manage.
-Turn off Private Address per device with one address to manage.

There you have it.

Any suggestions or just your thoughts??

Feel free to chime in.

Happy Networking

RSlack