Meraki

Community

iPhone/iOS Causing Lots of AP Spoof Event Alerts

Solved
NickyFresh
New here
‎Mar 23 2022 8:37 PM
‎Mar 23 2022 8:37 PM

iPhone/iOS Causing Lots of AP Spoof Event Alerts

I'm noticing a ton of AP spoof alerts in the logs across ALL of our client sites. We have dozens of Meraki customers. All different orgs and different environments, but one universal thing I am seeing is numerous AP spoofs everywhere.

 

NickyFresh_0-1648078977782.png

 

When I check the alert details and cross reference the dst MAC to the clients page I am seeing that each one is an iPhone with iOS 15.

 

Event Details:

 

NickyFresh_0-1648093118415.png

Client Details:

 

NickyFresh_0-1648092320488.png

 

The alerts are only showing when the buildings are occupied (roughly 7AM to 6PM). They seem to float throughout the building (spanning multiple floors). There is no other wireless equipment at our customer sites. It's all Meraki APs and Meraki switches or Meraki APs and Cisco switches.

 

We've seen a huge influx of connectivity issues over the last few months. Some of that seems to have been solved by updating to 28.6, but issues still remain. I am trying to get to the bottom of these alerts and figure out if they are the source of the connectivity problems.

 

Wondering if anyone has seen this or if they can check their event logs and let me know if this is common.

0 Kudos
1 Accepted Solution
Ryan_Miles
Meraki Employee
Meraki Employee
‎Mar 23 2022 9:27 PM
‎Mar 23 2022 9:27 PM

From what I gather firmware 28 might show false positives for AP spoofs and engineering is working on root cause & a fix. Sounds like it's purely a cosmetic issue at the moment.

 

I see a few occurrences of it on my network. And checked some other larger networks and they also see a number of events especially if they've seen a lot of connected clients. 

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

8 Replies 8
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Mar 23 2022 8:40 PM
‎Mar 23 2022 8:40 PM

@NickyFresh I suspect this is because of Apples private MAC address feature. 

0 Kudos
In response to BlakeRichardson
NickyFresh
New here
‎Mar 23 2022 9:05 PM
‎Mar 23 2022 9:05 PM

Meraki says the randomized MAC stays the same for a given SSID:

 

If an Apple user upgrades to iOS 14 and visits your location, their device will connect to the network with a randomized MAC address. This MAC address is different from the device MAC address, is SSID specific, and will remain the same for a given SSID.

 

Source: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_and_iOS_14_MAC....

 

It doesn't sound like the MAC is randomly changing hour to hour.

 

Apple says:

 

After the device successfully connects using a private address, that MAC address is used for future connections to that Wi-Fi network. Exceptions:

  • Starting with iOS 15, iPadOS 15, and watchOS 8, if the device hasn’t joined the network in 6 weeks, it uses a different private address the next time it joins the network.
  • If the device is made to forget the network, it will also forget the private address it used with that network, unless it has been less than 2 weeks since the last time it was made to forget that network.

Source: https://support.apple.com/en-us/HT211949 

 

Our clients are the same day in and out. We would see little if any visitor traffic.

0 Kudos
Ryan_Miles
Meraki Employee
Meraki Employee
‎Mar 23 2022 9:27 PM
‎Mar 23 2022 9:27 PM

From what I gather firmware 28 might show false positives for AP spoofs and engineering is working on root cause & a fix. Sounds like it's purely a cosmetic issue at the moment.

 

I see a few occurrences of it on my network. And checked some other larger networks and they also see a number of events especially if they've seen a lot of connected clients. 

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Ryan_Miles
NickyFresh
New here
‎Mar 24 2022 2:28 AM
‎Mar 24 2022 2:28 AM

@Ryan_Miles thank you!

0 Kudos
In response to Ryan_Miles
SxrRacer192
New here
‎Oct 31 2022 11:05 AM
‎Oct 31 2022 11:05 AM

Has there been an update on this? I am experiencing these spoofs on my network. Seems to be Iphone 11 or older.

0 Kudos
In response to Ryan_Miles
geoffreygiulino
Meraki Employee
Meraki Employee
‎Sep 29 2023 11:08 AM
‎Sep 29 2023 11:08 AM

Looks like the MR30.3 release has a fix out now for this!

 

Per release notes: 

Bug fixes

  • APs reporting other in-network APs as spoofs
StefanvdL
Just browsing
‎Jun 20 2023 11:04 PM
‎Jun 20 2023 11:04 PM

Hi there, We use MR46 AP's with firmware version 29.5.1 and still see spoofs from iPhones, iOS 14 and later. 

Is there an update about this issue? 

 

Thank you in advance! 

 

Stefan

 

0 Kudos
van604
Building a reputation
‎Jun 21 2023 12:27 PM
‎Jun 21 2023 12:27 PM

glad this popped up, this was driving us mad trying to figure out, monitoring this thread for more details.  thanks in advance

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.