cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

iPhone/iOS Causing Lots of AP Spoof Event Alerts

SOLVED
Go to solution
NickyFresh
New here
‎03-23-2022 08:37 PM
‎03-23-2022 08:37 PM

iPhone/iOS Causing Lots of AP Spoof Event Alerts

I'm noticing a ton of AP spoof alerts in the logs across ALL of our client sites. We have dozens of Meraki customers. All different orgs and different environments, but one universal thing I am seeing is numerous AP spoofs everywhere.

 

NickyFresh_0-1648078977782.png

 

When I check the alert details and cross reference the dst MAC to the clients page I am seeing that each one is an iPhone with iOS 15.

 

Event Details:

 

NickyFresh_0-1648093118415.png

Client Details:

 

NickyFresh_0-1648092320488.png

 

The alerts are only showing when the buildings are occupied (roughly 7AM to 6PM). They seem to float throughout the building (spanning multiple floors). There is no other wireless equipment at our customer sites. It's all Meraki APs and Meraki switches or Meraki APs and Cisco switches.

 

We've seen a huge influx of connectivity issues over the last few months. Some of that seems to have been solved by updating to 28.6, but issues still remain. I am trying to get to the bottom of these alerts and figure out if they are the source of the connectivity problems.

 

Wondering if anyone has seen this or if they can check their event logs and let me know if this is common.

0 Kudos
Subscribe
1 ACCEPTED SOLUTION
Ryan_Miles
Meraki Employee
Meraki Employee
‎03-23-2022 09:27 PM
‎03-23-2022 09:27 PM

From what I gather firmware 28 might show false positives for AP spoofs and engineering is working on root cause & a fix. Sounds like it's purely a cosmetic issue at the moment.

 

I see a few occurrences of it on my network. And checked some other larger networks and they also see a number of events especially if they've seen a lot of connected clients. 

View solution in original post

Subscribe
8 REPLIES 8
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎03-23-2022 08:40 PM
‎03-23-2022 08:40 PM

@NickyFresh I suspect this is because of Apples private MAC address feature. 

btr.net.nz
0 Kudos
Subscribe
In response to BlakeRichardson
NickyFresh
New here
‎03-23-2022 09:05 PM
‎03-23-2022 09:05 PM

Meraki says the randomized MAC stays the same for a given SSID:

 

If an Apple user upgrades to iOS 14 and visits your location, their device will connect to the network with a randomized MAC address. This MAC address is different from the device MAC address, is SSID specific, and will remain the same for a given SSID.

 

Source: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_and_iOS_14_MAC....

 

It doesn't sound like the MAC is randomly changing hour to hour.

 

Apple says:

 

After the device successfully connects using a private address, that MAC address is used for future connections to that Wi-Fi network. Exceptions:

  • Starting with iOS 15, iPadOS 15, and watchOS 8, if the device hasn’t joined the network in 6 weeks, it uses a different private address the next time it joins the network.
  • If the device is made to forget the network, it will also forget the private address it used with that network, unless it has been less than 2 weeks since the last time it was made to forget that network.

Source: https://support.apple.com/en-us/HT211949 

 

Our clients are the same day in and out. We would see little if any visitor traffic.

0 Kudos
Subscribe
Ryan_Miles
Meraki Employee
Meraki Employee
‎03-23-2022 09:27 PM
‎03-23-2022 09:27 PM

From what I gather firmware 28 might show false positives for AP spoofs and engineering is working on root cause & a fix. Sounds like it's purely a cosmetic issue at the moment.

 

I see a few occurrences of it on my network. And checked some other larger networks and they also see a number of events especially if they've seen a lot of connected clients. 

Subscribe
In response to Ryan_Miles
NickyFresh
New here
‎03-24-2022 02:28 AM
‎03-24-2022 02:28 AM

@Ryan_Miles thank you!

0 Kudos
Subscribe
In response to Ryan_Miles
SxrRacer192
New here
‎10-31-2022 11:05 AM
‎10-31-2022 11:05 AM

Has there been an update on this? I am experiencing these spoofs on my network. Seems to be Iphone 11 or older.

0 Kudos
Subscribe
In response to Ryan_Miles
geoffreygiulino
Meraki Employee
Meraki Employee
‎09-29-2023 11:08 AM
‎09-29-2023 11:08 AM

Looks like the MR30.3 release has a fix out now for this!

 

Per release notes: 

Bug fixes

  • APs reporting other in-network APs as spoofs
Subscribe
StefanvdL
Just browsing
‎06-20-2023 11:04 PM
‎06-20-2023 11:04 PM

Hi there, We use MR46 AP's with firmware version 29.5.1 and still see spoofs from iPhones, iOS 14 and later. 

Is there an update about this issue? 

 

Thank you in advance! 

 

Stefan

 

0 Kudos
Subscribe
van604
Getting noticed
‎06-21-2023 12:27 PM
‎06-21-2023 12:27 PM

glad this popped up, this was driving us mad trying to figure out, monitoring this thread for more details.  thanks in advance

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2023 Meraki