Meraki says the randomized MAC stays the same for a given SSID: If an Apple user upgrades to iOS 14 and visits your location, their device will connect to the network with a randomized MAC address. This MAC address is different from the device MAC address, is SSID specific, and will remain the same for a given SSID. Source: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_and_iOS_14_MAC_Address_Randomization#:~:text=If%20an%20Apple%20user%20upgrades,same%20for%20a%20given%20SSID. It doesn't sound like the MAC is randomly changing hour to hour. Apple says: After the device successfully connects using a private address, that MAC address is used for future connections to that Wi-Fi network. Exceptions: Starting with iOS 15, iPadOS 15, and watchOS 8, if the device hasn’t joined the network in 6 weeks, it uses a different private address the next time it joins the network. If the device is made to forget the network, it will also forget the private address it used with that network, unless it has been less than 2 weeks since the last time it was made to forget that network. Source: https://support.apple.com/en-us/HT211949 Our clients are the same day in and out. We would see little if any visitor traffic.
... View more
I'm noticing a ton of AP spoof alerts in the logs across ALL of our client sites. We have dozens of Meraki customers. All different orgs and different environments, but one universal thing I am seeing is numerous AP spoofs everywhere. When I check the alert details and cross reference the dst MAC to the clients page I am seeing that each one is an iPhone with iOS 15. Event Details: Client Details: The alerts are only showing when the buildings are occupied (roughly 7AM to 6PM). They seem to float throughout the building (spanning multiple floors). There is no other wireless equipment at our customer sites. It's all Meraki APs and Meraki switches or Meraki APs and Cisco switches. We've seen a huge influx of connectivity issues over the last few months. Some of that seems to have been solved by updating to 28.6, but issues still remain. I am trying to get to the bottom of these alerts and figure out if they are the source of the connectivity problems. Wondering if anyone has seen this or if they can check their event logs and let me know if this is common.
... View more