cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MacBook Pro Identified every day as IDS alert but has not been in building over a month?

Highlighted
Here to help

MacBook Pro Identified every day as IDS alert but has not been in building over a month?

I have a client MacBook Pro which shows up every single day under connected clients, and listed under MX events as an IDS alert. This mac was never connected through VPN, and has not been in the building for over a month. The ip address that is resolves to varies, but sometimes resolves to the firewall itself. I will be honest I am a little worried, but the MX does always pick it up and blocks it. Almost 2 months ago I went over this mac with a fine tooth comb, did extensive malware/spyware/rootkit/virus scanning of the device which ALL came out clean. Sometimes the ip address it resolves to is one of our VMware ip's. 

So in summary, the device is not in the building, nor is it connected through VPN. It shows up every day in MX events as an IDS alert, with the reported ip as either the MX itself, or one of the ip's associated with our VMware severs. Another tidbit, this mac was never domain joined, was before my time. I like a good puzzle, but I have tried to figure this one out by myself long enough. Nothing in DNS, or DHCP. I thought scavenging maybe wasn't working but it looks ok.

Nothing listed in AD at all the references this, computer nor user. Don't know if this matters, it says MacBook-Pro, Meraki Network OS in the IDS alert.

Thank you in advance! I appreciate it. 

8 REPLIES 8
Highlighted
Getting noticed

Re: MacBook Pro Identified every day as IDS alert but has not been in building over a month?

Strange. What client tracking option do you have selected?

https://documentation.meraki.com/MX/Monitoring_and_Reporting/Client_Tracking_Options

Highlighted
Kind of a big deal

Re: MacBook Pro Identified every day as IDS alert but has not been in building over a month?

As mentioned what client tracking option are you using? I would also open a case with support because as it sounds like something isn't quite right in the dashboard reporting.

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Highlighted
Here to help

Re: MacBook Pro Identified every day as IDS alert but has not been in building over a month?

The default: MAC address

Highlighted
Here to help

Re: MacBook Pro Identified every day as IDS alert but has not been in building over a month?

Don't know if this took or not.

Client tracking is set to default: MAC address

Highlighted
Kind of a big deal

Re: MacBook Pro Identified every day as IDS alert but has not been in building over a month?

There are two frequent occurrences of this happening:

  • You are using an MR configured with a NAT mode SSID.  This makes all the clients appear as one to the MX.
  • You have a L3 device in your network with downstream VLANs.  The L3 device makes all the clients appear as itself.

Ignore the IP address.  Look at the MAC address of the thing causing the alerts and then track down that mac address.

Highlighted
Getting noticed

Re: MacBook Pro Identified every day as IDS alert but has not been in building over a month?

Hm, sounds like its time to open a case to ask why it think that device is still kicking around.

Highlighted
Here to help

Re: MacBook Pro Identified every day as IDS alert but has not been in building over a month?

Meraki does recommend me to use "Unique Client Identifier"  but it is marked as beta so a little hesitant to change. All MAC addresses associated with this client are in all cases either the MX firewall itself, or one of the ip addresses associated with our VMware server farm. It never traces back to a real client. Other than client tracking, what would change if I switched over to "Unique Client Identifier"? 

Thank you everyone that has chimed in. I was not aware of different tracking methods, I am at least now a "little" smarter 🤣🤣🤣

Highlighted
Kind of a big deal

Re: MacBook Pro Identified every day as IDS alert but has not been in building over a month?

Unless you change the SSID on the MR to running in bridge mode the client tracking method used by the MX is not going to make any difference to your IPS alerts.

 

"Unique Client Identifier" works better than MAC based tracking when you are using a L3 MS in your network.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.