I have a client MacBook Pro which shows up every single day under connected clients, and listed under MX events as an IDS alert. This mac was never connected through VPN, and has not been in the building for over a month. The ip address that is resolves to varies, but sometimes resolves to the firewall itself. I will be honest I am a little worried, but the MX does always pick it up and blocks it. Almost 2 months ago I went over this mac with a fine tooth comb, did extensive malware/spyware/rootkit/virus scanning of the device which ALL came out clean. Sometimes the ip address it resolves to is one of our VMware ip's.
So in summary, the device is not in the building, nor is it connected through VPN. It shows up every day in MX events as an IDS alert, with the reported ip as either the MX itself, or one of the ip's associated with our VMware severs. Another tidbit, this mac was never domain joined, was before my time. I like a good puzzle, but I have tried to figure this one out by myself long enough. Nothing in DNS, or DHCP. I thought scavenging maybe wasn't working but it looks ok.
Nothing listed in AD at all the references this, computer nor user. Don't know if this matters, it says MacBook-Pro, Meraki Network OS in the IDS alert.
Thank you in advance! I appreciate it.
Strange. What client tracking option do you have selected?
https://documentation.meraki.com/MX/Monitoring_and_Reporting/Client_Tracking_Options
As mentioned what client tracking option are you using? I would also open a case with support because as it sounds like something isn't quite right in the dashboard reporting.
The default: MAC address
Don't know if this took or not.
Client tracking is set to default: MAC address
Hm, sounds like its time to open a case to ask why it think that device is still kicking around.
There are two frequent occurrences of this happening:
Ignore the IP address. Look at the MAC address of the thing causing the alerts and then track down that mac address.
Meraki does recommend me to use "Unique Client Identifier" but it is marked as beta so a little hesitant to change. All MAC addresses associated with this client are in all cases either the MX firewall itself, or one of the ip addresses associated with our VMware server farm. It never traces back to a real client. Other than client tracking, what would change if I switched over to "Unique Client Identifier"?
Thank you everyone that has chimed in. I was not aware of different tracking methods, I am at least now a "little" smarter 🤣🤣🤣
Unless you change the SSID on the MR to running in bridge mode the client tracking method used by the MX is not going to make any difference to your IPS alerts.
"Unique Client Identifier" works better than MAC based tracking when you are using a L3 MS in your network.