MacBook Pro Identified every day as IDS alert but has not been in building over a month?

Einstein
Getting noticed

MacBook Pro Identified every day as IDS alert but has not been in building over a month?

I have a client MacBook Pro which shows up every single day under connected clients, and listed under MX events as an IDS alert. This mac was never connected through VPN, and has not been in the building for over a month. The ip address that is resolves to varies, but sometimes resolves to the firewall itself. I will be honest I am a little worried, but the MX does always pick it up and blocks it. Almost 2 months ago I went over this mac with a fine tooth comb, did extensive malware/spyware/rootkit/virus scanning of the device which ALL came out clean. Sometimes the ip address it resolves to is one of our VMware ip's. 

So in summary, the device is not in the building, nor is it connected through VPN. It shows up every day in MX events as an IDS alert, with the reported ip as either the MX itself, or one of the ip's associated with our VMware severs. Another tidbit, this mac was never domain joined, was before my time. I like a good puzzle, but I have tried to figure this one out by myself long enough. Nothing in DNS, or DHCP. I thought scavenging maybe wasn't working but it looks ok.

Nothing listed in AD at all the references this, computer nor user. Don't know if this matters, it says MacBook-Pro, Meraki Network OS in the IDS alert.

Thank you in advance! I appreciate it. 

8 REPLIES 8
Adam2104
Building a reputation

Strange. What client tracking option do you have selected?

https://documentation.meraki.com/MX/Monitoring_and_Reporting/Client_Tracking_Options

As mentioned what client tracking option are you using? I would also open a case with support because as it sounds like something isn't quite right in the dashboard reporting.

The default: MAC address

Don't know if this took or not.

Client tracking is set to default: MAC address

Adam2104
Building a reputation

Hm, sounds like its time to open a case to ask why it think that device is still kicking around.

PhilipDAth
Kind of a big deal
Kind of a big deal

There are two frequent occurrences of this happening:

  • You are using an MR configured with a NAT mode SSID.  This makes all the clients appear as one to the MX.
  • You have a L3 device in your network with downstream VLANs.  The L3 device makes all the clients appear as itself.

Ignore the IP address.  Look at the MAC address of the thing causing the alerts and then track down that mac address.

Meraki does recommend me to use "Unique Client Identifier"  but it is marked as beta so a little hesitant to change. All MAC addresses associated with this client are in all cases either the MX firewall itself, or one of the ip addresses associated with our VMware server farm. It never traces back to a real client. Other than client tracking, what would change if I switched over to "Unique Client Identifier"? 

Thank you everyone that has chimed in. I was not aware of different tracking methods, I am at least now a "little" smarter 🤣🤣🤣

PhilipDAth
Kind of a big deal
Kind of a big deal

Unless you change the SSID on the MR to running in bridge mode the client tracking method used by the MX is not going to make any difference to your IPS alerts.

 

"Unique Client Identifier" works better than MAC based tracking when you are using a L3 MS in your network.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels