Hi ,
Starting this week , I have been noticing some "phantom" clients. They have "0" usage , null vlan null ip null description and they are all Wireless clients ( probably failed auth , but still got sampled as a valid client ).
{"id":"k6ab678","mac":"12:59:34:a3:4b:f2","description":null,"ip":null,"ip6":null,"ip6Local":null,"user":"dyq8858","firstSeen":"2024-06-26T13:07:36Z","lastSeen":"2024-06-26T13:07:36Z","manufacturer":null,"os":null,"deviceTypePrediction":null,"recentDeviceSerial":"XXXXXXXXXX","recentDeviceName":"XXXXXXXX","recentDeviceMac":"XXXXXXX","recentDeviceConnection":"Wireless","ssid":"XXXXXXX","vlan":"","switchport":null,"usage":{"sent":0,"recv":1,"total":1},"status":"Offline","notes":null,"groupPolicy8021x":null,"adaptivePolicyGroup":null,"smInstalled":false,"pskGroup":null,"wirelessCapabilities":"802.11ac - 2.4 and 5 GHz"}
I found that weird and opened a ticket. Support told me : We expect clients to show up if they currently passed at least 1KB of data (excluding splash page traffic). Which seems to be in direct conflic with :
A client will only appear in the list once it has passed Internet traffic. If a device, such as a LAN printer, does not pass any Internet traffic, then it will not appear in the list.
Either the documentation is invalid or Support is wrong on that OR something recently changed.
Wanted a second opinion on that one.
Cheers ,
Is this a network with another Meraki device family as well, like MX or MS?
Perhaps something is getting mixed up with where it has seen the device traffic.
Full stack , MX MS MR. Client sampling disabled on uplinks and client is seen on MR. Basicly nothing changed config wise or in the topology for all our networks but I keep seeing more and more of those "1kb" clients.
Hi @RaphaelL
Thanks for bringing this up.
The document you mentioned has this section:
"Clients List Displays Zero Usage for a Client, Though the Client Is Passing Traffic
To ensure useful data usage and traffic analysis, certain types of client traffic are filtered and are not counted toward their network usage. Usage information is recorded differently depending on the network layer the client is operating at. Examples of such traffic are:
Unauthorized clients that are operating behind a splash or captive portal
DNS
DHCP
ARP
Note that the above does not apply to switch clients."
Do you see that behaviour you described in a Guest wifi SSID that has splash or captive portal?
Hi ,
No this is a WPA2-Enterprise SSID.
The client was rejected by the RADIUS server , but Meraki did map this "client" as a valid client.
Client didn't pass ANY trafic at all.
Well, that makes sense. That wifi client failed authentication so it was stuck in association phase and having no traffic after RADIUS Access-Reject message. It's essentially the same behaviour described in the doc.
This seems to be an expected behaviour since it is an unauthorised client. Unauthorised wifi clients show as connected with zero usage as long as the Access Point confirms they are associated.
I'll work internally to reproduce this scenario and add this behaviour to our doc.
Thanks a lot for your help. Much appreciated !
My pleasure! Doc is updated now! Thanks for bringing this up.