When looking at Wireless Clients in my Meraki I only see the Aerohive MAC, how can I see the workstation MAC

  • 1
  • Question
  • Updated 2 years ago
Trying to use MAC Address whitelisting in our Meraki Firewall. But wireless clients only show as the Aerohive they are connected to. How can I see the workstation MAC instead?
Photo of Corey Ammons

Corey Ammons

  • 3 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
Corey, 
Which APs are in use? What seems odd to me is that the APs should only be used as wireless bridges, thus the client MAC would be passed on to upstraem devices. Only is a situation where NAT is being used should change the MAC address. Can you look at a switch to verify the MAC address table of the port the AP is connected?

Best,
BJ
Photo of Corey Ammons

Corey Ammons

  • 3 Posts
  • 0 Reply Likes
we are using the AP 121
Photo of Corey Ammons

Corey Ammons

  • 3 Posts
  • 0 Reply Likes
Yes, the MAC Address on the port is correct
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Corey,

Just reiterating what BJ has already said.

The AP121 won't be performing routing/NAT, so the MAC addresses of the clients will almost certainly be exposed past the AP.

Are you using a VPN in any way?

Nick
(Edited)
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
This sounds to me as if the AP121 is performing NAT (an administrator choice, check the config in the management platform) or the Meraki firewall only sees the management VLAN traffic from the access points, not the client-traffic-bearing VLANs.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I didn't think the AP121 could perform NAT, lodged in my memory based off a post Sam Keys made: https://community.aerohive.com/aerohive/topics/ap121_nating_and_firewalling?topic-reply-list%5Bsetti...
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
But rereading that, I obviously didn't read it properly the first time around. :-)
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
D'oh!! Nick, you are probably right; that was a brain fart on my part. I don't want to cleanup/edit my response now that the thread of conversation has moved on, so I'll just post this mea culpa here.
(Edited)
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
So if your switch is reporting the correct mac address of the clients, I'm not sure how your firewall would be getting the AP MAC when viewing client traffic. Can you provide a sterilized screenshot of the Meraki screen that shows this traffic?