Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

False Positive Spoof Alert?

RumorConsumer
Head in the Cloud
‎Dec 9 2021 8:38 PM
‎Dec 9 2021 8:38 PM

False Positive Spoof Alert?

I live out in the middle of nowhere in Northern California. There isnt even Verizon signal. 

 

I have 37 APs connected to a 250Mb fiber line and not a lot of people around us.

 

I have seen on my Air Marshall a few spoofing alerts recently. I have a hard time believing these are real.

 

In one case, it says there is AP spoofing happening and then the MAC address given doesn't even exist on my Here's what I see

RumorConsumer_0-1639111003952.png

Neither of those MAC addresses appear on my network and maybe they shouldn't. My APs are about 1/4 of a mile apart at most. Its a large campground/retreat center.

 

Any insights?

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
0 Kudos
Subscribe
10 Replies 10
RumorConsumer
Head in the Cloud
‎Dec 9 2021 8:48 PM
‎Dec 9 2021 8:48 PM

For the last week... This just seems nuts...

RumorConsumer_0-1639111694730.png

 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
0 Kudos
Subscribe
In response to RumorConsumer
BrandonS
Kind of a big deal
‎Dec 9 2021 10:12 PM
‎Dec 9 2021 10:12 PM

The MAC addresses are Meraki: https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Calculating_Cisco_Meraki_BSSID_MA...

 

They are likely yours and you should be able to find them in your dashboard to verify.  It could be false positive, but I would think Meraki would know better than to flag one of it’s own..

- Ex community all-star (⌐⊙_⊙)
0 Kudos
Subscribe
In response to BrandonS
RumorConsumer
Head in the Cloud
‎Dec 9 2021 10:56 PM
‎Dec 9 2021 10:56 PM

Wow thanks man. That seems to be what is happening. All the MAC addresses of the "spoofs" roughly correspond to all my AP MAC addresses according to that key. So wild. Why would those be considered spoofs? So strange. The SSID spoof part I can't figure out tho. 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
0 Kudos
Subscribe
In response to RumorConsumer
Ryan_Miles
Meraki Employee
Meraki Employee
‎Dec 10 2021 8:55 AM
‎Dec 10 2021 8:55 AM

I took a peek at your network. Are there any non Meraki APs in use anywhere on the property/connected to the same wired network?

0 Kudos
Subscribe
In response to Ryan_Miles
RumorConsumer
Head in the Cloud
‎Dec 10 2021 9:33 AM
‎Dec 10 2021 9:33 AM

There are not. I am sure. The property is so well covered and there isn't anybody who would need to use one. I even asked the other savvy guy on property and he said no and looked at me weird. 

We have a couple Ubiquity wireless PtP shots but those have never been exposed to our wifi keys and are busy doing their own thing. Thats it. 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
0 Kudos
Subscribe
In response to RumorConsumer
Ryan_Miles
Meraki Employee
Meraki Employee
‎Dec 10 2021 10:29 AM
‎Dec 10 2021 10:29 AM

I've seen other instances where non Meraki repeaters are in the network and it causes AP spoofs alerts

0 Kudos
Subscribe
In response to Ryan_Miles
RumorConsumer
Head in the Cloud
‎Dec 10 2021 10:33 AM
‎Dec 10 2021 10:33 AM

I believe you. And no network repeaters here. Plus a network repeater would need to be pulling a DHCP address right? It would need to be an active client, no? Otherwise if it were just a spoof it would be trying to convince my clients to join it but then it wouldn't offer any network connectivity or LAN access. Id have some pretty angry users. And wouldn't a spoof need to have credentials that my clients wouldn't be able to provide? Sounds like it would break things pretty noticeably. 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
0 Kudos
Subscribe
RumorConsumer
Head in the Cloud
‎Dec 9 2021 8:49 PM
‎Dec 9 2021 8:49 PM

There is no other real internet around us here and if any of my 60 something daily clients were having issues Id hear about it. I have all Macs and iOS.

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
0 Kudos
Subscribe
In response to RumorConsumer
Ryan_Miles
Meraki Employee
Meraki Employee
‎Dec 9 2021 9:50 PM
‎Dec 9 2021 9:50 PM

sounds like this requires some on sight troubleshooting. i'd be happy to come stay a week and help out 😉

Subscribe
In response to Ryan_Miles
RumorConsumer
Head in the Cloud
‎Dec 9 2021 9:51 PM
‎Dec 9 2021 9:51 PM

We have organic food and cheffing 7 days a week. Come on out and tell me why this is happening. I got you.

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.