Media Access Control
Meme
MAC randomisation broke authentication systems that depended on recognising devices by hardware address.
For years, network infrastructure assumed MAC addresses were stable identifiers. RADIUS servers cached authentication state by MAC. Network management systems tracked devices by MAC. Access control lists referenced MAC addresses.
Then privacy requirements forced device manufacturers to randomise MAC addresses. Same device, different MAC every connection. All those assumptions collapsed.
The industry's response split two directions:
IEEE 802.11bh (published June 2025) tries to preserve device tracking while protecting privacy. Clients inform APs which MAC they'll use next time, or APs assign identifiers for future authentication. It's clever engineering - maintaining device identification without exposing the actual MAC address.
Open Roaming took a different approach: stop caring about MAC addresses entirely. Authenticate based on identity credentials, not hardware identifiers. The device presents credentials tied to an identity provider. MAC randomisation becomes irrelevant to the authentication process.
From an authentication infrastructure perspective, this matters because it changes what RADIUS servers need to track. Instead of caching authentication state by MAC address, systems need to handle identity-based sessions that persist across MAC changes.
For ISPs and enterprises deploying OpenRoaming: your RADIUS infrastructure needs to support these identity-based authentication flows properly. The authentication decision isn't "has this MAC address authenticated before" - it's "does this identity have valid credentials regardless of MAC address."
Privacy requirements forced authentication systems to evolve. Some tried to work around the problem. Others redesigned the approach entirely. Both work, but they require different infrastructure capabilities.
