持久设备身份标识在MAC地址随机化时代的网络访问控制：一种基于RADIUS的框架 (Persistent Device Identity for Network Access Control in the Era of MAC Address Randomization: A RADIUS-Based Framework)

Modern operating systems increasingly randomize Media Access Control (MAC) addresses to protect user privacy, fundamentally disrupting Network Access Control (NAC) systems that have relied on MAC addresses as persistent device identifiers for over two decades. This disruption affects critical enterprise environments including federal government agencies operating under FISMA, healthcare organizations subject to HIPAA, financial institutions governed by PCI-DSS, and educational networks managing large-scale BYOD deployments. This paper presents a comprehensive framework for maintaining persistent device identity in NAC environments through a RADIUS protocol-based approach that assigns and distributes a Globally Unique Identifier (GUID) to endpoints via RADIUS Access-Accept messages. The proposed architecture addresses the complete device lifecycle including initial enrollment, re-authentication across randomized addresses, device management integration, certificate-based identity binding, and device attribute correlation. We describe the framework's design across six distinct use cases -- BYOD, managed devices, VPN-based posture assessment, non-VPN posture, guest access, and IoT device profiling -- and analyze its effectiveness in maintaining device visibility, accurate license counting, and regulatory compliance under continuous MAC address randomization. The approach is compatible with existing 802.1X and MAB infrastructure, requires no client-side operating system modifications, and aligns with the recently published RFC 9797 and IEEE 802.11bh-2024 standards. Our framework enables organizations to maintain regulatory compliance while preserving the privacy benefits that MAC address randomization was designed to provide.

翻译：现代操作系统日益采用媒体访问控制（MAC）地址随机化技术以保护用户隐私，这从根本上瓦解了依赖MAC地址作为持久设备标识符已逾二十年的网络访问控制（NAC）系统。此种冲击波及关键的企业环境，包括依据《联邦信息安全管理法案》运作的联邦政府机构、受《健康保险流通与责任法案》约束的医疗组织、遵循支付卡行业数据安全标准的金融机构，以及管理大规模自带设备部署的教育网络。本文提出一种在NAC环境中维持持久设备身份标识的综合性框架，该框架通过基于RADIUS协议的方法，经由RADIUS访问接受消息为终端设备分配并分发全局唯一标识符（GUID）。所提出的架构涵盖了完整的设备生命周期，包括初始注册、跨随机化地址的重新认证、设备管理集成、基于证书的身份绑定以及设备属性关联。我们通过六个不同的应用场景——自带设备、受管设备、基于VPN的状态评估、非VPN状态、访客接入以及物联网设备画像——阐述了该框架的设计，并分析了其在持续MAC地址随机化条件下维持设备可见性、准确许可证计数以及法规遵从性的有效性。该方法与现有802.1X和MAB基础设施兼容，无需客户端操作系统修改，且符合近期发布的RFC 9797和IEEE 802.11bh-2024标准。我们的框架使组织能够在维护法规遵从性的同时，保留MAC地址随机化旨在提供的隐私保护优势。