Hi everyone, I'm facing a problem that I hope someone here can help me solve or point me to a workaround for finding the information within the Meraki portal. To begin, my question is simple as stated above.
If I have an IP address of 10.10.15.4 for example, what is the easiest most simple way to find out under which Network that IP belongs and which AP/SSID the IP was connected to?
The reason for this is we have these alerts generated from our SIEM and we have rules in our SIEM that would tag a device as non-corporate device if it satisfies certain criteria. So when something like that comes up we need to dig in and identify the device so we can identify the user and follow up etc.
In Meraki we have about 100+ Networks defined and each with different numbers of APs (1 network has 40+ APs) with about 3-4 SSIDs so I'm having a very hard time trying to figure out where should I begin my investigation. Is there anything out there that can help with this? Maybe something like a master list/report that shows all clients and IP addresses along with their networks and AP's as a table or something?
Thank you in Advance!
The Meraki API is your friend. You could very easily dump all clients to a CSV file and use grep (or Ctrl-F in excel) to find the offending IP address. Lots of information is available to you with regards to the association to AP/SSID and networks etc.
How does your SIEM get its information? Are you using NAT mode on the access points (I'm asking because the IP address you gave is in the 10.0.0.0/8 range)?
Hi BrechtSchamp,
SIEM gets the information from network traffic, we are monitoring network activity and not sending syslogs yet, although i am in the process of sending the syslogs to Sumologic for better analysis. Currently looking at the Meraki dashboard settings Wireless > Configure > SSIDS >Client IP Assignment is set to Meraki DHCP (NAT Mode: Use Meraki DHCP )
Hi Cain, can you provide information on how to do this? I'm not very familiar with the API's but I do have people on my team that can do something if we can provide some instructions.
Hey mate,
All you(your team) need is something that has Internet access and Python 3 installed. You need to install the Meraki Python library (make sure to install version 0.x.x - pip3 install meraki==0.x.x) one of their example files is called org_wide_clients_v0.py
Have a look at their github page: https://github.com/meraki/dashboard-api-python you can modify this script to output just what you need.