Meraki - alert when previously unseen device connects to the network

Solved
lpopejoy
A model citizen

Meraki - alert when previously unseen device connects to the network

I understand that "previously unseen" may mean "previously unseen in the last 30 days", but at any rate... does anyone know of a magical way to achieve this?

 

I'm working on security assessment, and that is one of the objectives...

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Have you considered going the other way, and using something like wired 802.1x to only allow authorised devices to connect?

https://documentation.meraki.com/MX/Access_Control_and_Splash_Page/MX_Access_Policies_(802.1X) 

If you have a Meraki MS switch - it's better to do it there.

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X) 

 

802.1x can be complicated to setup.  If you are a smaller organisation and want something simpler, create a firewall that does a "deny any any" - blocking everything.  Then create a group policy called "authorised" which overrides this rule granting access.  Then apply the "authorised" group policy to those clients allowed to connect.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying... 

View solution in original post

5 Replies 5
Inderdeep
Kind of a big deal
Kind of a big deal

Are you looking for this ?
https://meraki.cisco.com/blog/2013/02/manage-devices-with-instant-alerts/ 

Inderdeep_0-1617912824177.png

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
lpopejoy
A model citizen

It only monitors the clients you specify.  What if we want to know if a previously *unknown* client connects?  That's what I'm looking for.  It is SOO close...  

Inderdeep
Kind of a big deal
Kind of a big deal

I dont think it is possible as if you talk about the production secure network "unknown clients" will never connected earlier. This is security concerns. 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
PhilipDAth
Kind of a big deal
Kind of a big deal

Have you considered going the other way, and using something like wired 802.1x to only allow authorised devices to connect?

https://documentation.meraki.com/MX/Access_Control_and_Splash_Page/MX_Access_Policies_(802.1X) 

If you have a Meraki MS switch - it's better to do it there.

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X) 

 

802.1x can be complicated to setup.  If you are a smaller organisation and want something simpler, create a firewall that does a "deny any any" - blocking everything.  Then create a group policy called "authorised" which overrides this rule granting access.  Then apply the "authorised" group policy to those clients allowed to connect.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying... 

lpopejoy
A model citizen

@PhilipDAth, I like your idea of applying a default policy for the VLAN and then over riding it on a per client basis.  The only potential issue I see is that if a device is offline for 30 days for some reason, I think the over ride policy will need to be reapplied, but that should be really rare. 

 

Great suggestion, thank you!  🙂

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels