Meraki

Community

802.1x and Malware Identification

Solved
Ryan2024
Here to help
‎Jan 14 2025 5:36 AM
‎Jan 14 2025 5:36 AM

802.1x and Malware Identification

Hi all,

 

I'm new to networking and recently started with a new company. I haven't been able to get an answer to this, so I thought I'd try here.

 

My understanding is that because we use 802.1x and have to configure each AP's IP address on our firewall, when our SOC identifies malware on an endpoint, they can only see the AP's IP address. So if there's, say, 10-20 devices on the AP, there's no way to know exactly which device needs to be remediated.

 

1. Is this a common implementation? It seems...not great, from a security perspective. 

2. Are there any alternatives with our current infrastructure, or would the solution be to move away from 802.1x to something like FortiNAC?

3. Did anything that I just said make any sense, or should I change careers (again)?

 

I appreciate your time.

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 14 2025 1:10 PM
‎Jan 14 2025 1:10 PM

Several thoughts.

 

1. You could get the SOC to monitor the APs and the firewall.  Then they'll be able to see clients.

2. You are probably using SSID NAT mode.  If you create a dedicated VLAN for guests, and bridge the SSID to that VLAN they'll be able to see the individual clients on the firewall.

View solution in original post

8 Replies 8
alemabrahao
Kind of a big deal
‎Jan 14 2025 6:21 AM
‎Jan 14 2025 6:21 AM

I believe they are monitoring incorrectly, regardless of whether the client is on Wi-Fi or wired network, they should be able to identify the source of the alert.

I believe they should correct the monitoring.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
‎Jan 14 2025 6:43 AM
‎Jan 14 2025 6:43 AM

By the way, I don't know how you are monitoring but Trellix can be a great ally in these cases.

 

https://www.trellix.com/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Ryan2024
Here to help
‎Jan 14 2025 7:49 AM
‎Jan 14 2025 7:49 AM

Thank you - I'll reach out to our SOC for clarification.

0 Kudos
Mloraditch
Kind of a big deal
‎Jan 14 2025 6:48 AM
‎Jan 14 2025 6:48 AM

If you are using NAT mode for your wireless clients on any of your ssids, then any upstream device will only see the traffic as sourcing from the AP so this is entirely possible, although it has nothing to do with 802.1x. That functionality can work with or without NAT mode.

You can change your ssids to drop off to a VLAN the firewall can fully see to alleviate the issue.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
alemabrahao
Kind of a big deal
‎Jan 14 2025 7:39 AM
‎Jan 14 2025 7:39 AM

In this case it makes sense.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to Mloraditch
Ryan2024
Here to help
‎Jan 14 2025 8:02 AM
‎Jan 14 2025 8:02 AM

I just double-checked, and we do have NAT mode enabled on our SSIDs. Do you know of any major drawbacks or pitfalls to transitioning off of this?

0 Kudos
In response to Ryan2024
alemabrahao
Kind of a big deal
‎Jan 14 2025 8:25 AM
‎Jan 14 2025 8:25 AM

The biggest disadvantage is that in NAT mode, client devices will always use the AP's IP to communicate with any resource.

If you need to monitor client IPs, use bridge mode.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 14 2025 1:10 PM
‎Jan 14 2025 1:10 PM

Several thoughts.

 

1. You could get the SOC to monitor the APs and the firewall.  Then they'll be able to see clients.

2. You are probably using SSID NAT mode.  If you create a dedicated VLAN for guests, and bridge the SSID to that VLAN they'll be able to see the individual clients on the firewall.

Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.