Meraki

Community

Meraki - alert when previously unseen device connects to the network

Solved
lpopejoy
A model citizen
‎Apr 8 2021 12:57 PM
‎Apr 8 2021 12:57 PM

Meraki - alert when previously unseen device connects to the network

I understand that "previously unseen" may mean "previously unseen in the last 30 days", but at any rate... does anyone know of a magical way to achieve this?

 

I'm working on security assessment, and that is one of the objectives...

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 9 2021 1:59 PM
‎Apr 9 2021 1:59 PM

Have you considered going the other way, and using something like wired 802.1x to only allow authorised devices to connect?

https://documentation.meraki.com/MX/Access_Control_and_Splash_Page/MX_Access_Policies_(802.1X) 

If you have a Meraki MS switch - it's better to do it there.

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X) 

 

802.1x can be complicated to setup.  If you are a smaller organisation and want something simpler, create a firewall that does a "deny any any" - blocking everything.  Then create a group policy called "authorised" which overrides this rule granting access.  Then apply the "authorised" group policy to those clients allowed to connect.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying... 

View solution in original post

5 Replies 5
Inderdeep
Kind of a big deal
Kind of a big deal
‎Apr 8 2021 1:14 PM
‎Apr 8 2021 1:14 PM

Are you looking for this ?
https://meraki.cisco.com/blog/2013/02/manage-devices-with-instant-alerts/ 

Inderdeep_0-1617912824177.png

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
0 Kudos
In response to Inderdeep
lpopejoy
A model citizen
‎Apr 8 2021 1:29 PM
‎Apr 8 2021 1:29 PM

It only monitors the clients you specify.  What if we want to know if a previously *unknown* client connects?  That's what I'm looking for.  It is SOO close...  

In response to lpopejoy
Inderdeep
Kind of a big deal
Kind of a big deal
‎Apr 8 2021 1:54 PM
‎Apr 8 2021 1:54 PM

I dont think it is possible as if you talk about the production secure network "unknown clients" will never connected earlier. This is security concerns. 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 9 2021 1:59 PM
‎Apr 9 2021 1:59 PM

Have you considered going the other way, and using something like wired 802.1x to only allow authorised devices to connect?

https://documentation.meraki.com/MX/Access_Control_and_Splash_Page/MX_Access_Policies_(802.1X) 

If you have a Meraki MS switch - it's better to do it there.

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X) 

 

802.1x can be complicated to setup.  If you are a smaller organisation and want something simpler, create a firewall that does a "deny any any" - blocking everything.  Then create a group policy called "authorised" which overrides this rule granting access.  Then apply the "authorised" group policy to those clients allowed to connect.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying... 

In response to PhilipDAth
lpopejoy
A model citizen
‎Apr 12 2021 5:48 AM
‎Apr 12 2021 5:48 AM

@PhilipDAth, I like your idea of applying a default policy for the VLAN and then over riding it on a per client basis.  The only potential issue I see is that if a device is offline for 30 days for some reason, I think the over ride policy will need to be reapplied, but that should be really rare. 

 

Great suggestion, thank you!  🙂

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.