Skip to main content

Documentation Index

Fetch the complete documentation index at: https://wiki.netgraph-connect.com/llms.txt

Use this file to discover all available pages before exploring further.

This page summarises the MAC-address handling changes introduced in iOS / iPadOS 18 and macOS 15, explains what they mean for guests of networks served by Sign In and EntryPoint, and lists the actions end users may need to take to retain stable network access.

iOS / iPadOS

In previous versions of iOS / iPadOS there were two options for Private Wi-Fi Address:
  • Off — the physical hardware MAC address is used.
  • On — a randomly generated MAC address that remains the same for the specific SSID.
The default was On. Starting with iOS / iPadOS 18, the options expand to three:
  • Off — the physical hardware MAC address is used.
  • Fixed — a randomised MAC address that does not change for the SSID (the same behaviour as before). Default for encrypted networks.
  • Rotating — a randomised MAC address that changes periodically, approximately every two weeks. Default for open networks.
The default is Fixed for encrypted networks, so the behaviour matches earlier iOS versions. For unencrypted networks the default is Rotating. When upgrading to iOS / iPadOS 18 from a previous version, the device keeps using the same MAC address as before, provided the default settings for Private Wi-Fi Address are not changed.

macOS

Earlier versions of macOS had no support for Private Wi-Fi Address — the physical hardware MAC was used for every network. Starting with macOS 15 (Sequoia), Private Wi-Fi Address is available with the same three options as iOS / iPadOS:
  • Off — the physical hardware MAC address is used.
  • Fixed — a randomised MAC address that does not change for the SSID. Default for encrypted networks.
  • Rotating — a randomised MAC address that changes periodically, approximately every two weeks. Default for open networks.
When upgrading to macOS 15, devices automatically start using a new Fixed (randomised) MAC address for each encrypted network and a Rotating one for unencrypted networks.

What this means for users of Sign In and EntryPoint

iPhones and iPads

With the default Private Wi-Fi Address settings, users do not need to take any action — the same MAC address is used when connecting to open networks as long as the access duration is under two weeks. If the solution offers access longer than two weeks (for example BYOD), users need to select Fixed (or alternatively Off) to avoid having to log in again after approximately two weeks.

MacBooks

By default, MacBooks are assigned a new MAC address per SSID. There are two options:
  • For users who upgrade to macOS 15, a new login to the network is required because macOS now applies the same MAC-address behaviour as iOS / iPadOS with the three modes.
  • Users who want to avoid re-registering their device can set Private Wi-Fi Address to Off:
    Settings → Wi-Fi → the SSID → Network Details → Private Wi-Fi Address → Off

Improving captive-portal detection for iOS

DHCP Addr. Required on Cisco WLC guest SSIDs.

Whitelist module

Why per-MAC entries drift under MAC randomization.

Self-Provisioning by Email

Identity-based alternative to MAC-based access.

Support checklist

The full triage path for guest-access incidents.