Meraki Community

oubi

Hello everyone,

I'm trying to retrieve information about rogue SSIDs and spoofed devices using the Meraki API, specifically through the Air Marshal feature. In the Meraki Dashboard, I can see detailed information about rogue SSIDs and spoofing events, but when I try to pull this data using the API, I only get a list of general SSIDs categorized as "Other SSIDs" without much detail.

Here is the example of Python function I am currently using:

import os
import requests
import json

def air_marshal(network_id):
    air_marshal_events = []
    meraki_api_key = os.getenv('MERAKI_API_KEY')
    
    # Headers for authentication
    headers = {
        "Authorization": f"Bearer {meraki_api_key}",
        "Accept": "application/json"
    }
    # API call to fetch Air Marshal events for the network
    networks_url = f"https://api.meraki.com/api/v1/networks/{network_id}/wireless/airMarshal?timespan=2678400"
    response = requests.get(networks_url, headers=headers).json()
    print(response)
    
    # Append the events to the list
    for r in response:
        air_marshal_events.append(r)
    
    # Write the events to a JSON file
    with open('meraki_am_events.json', 'w') as json_file:
        json.dump(air_marshal_events, json_file, indent=4)

Issue:

The script successfully retrieves data, but it only shows "Other SSIDs" with limited details and does not include information about rogue SSIDs or spoofed devices.
I am unsure how to adjust the API call or the filtering to obtain the detailed rogue and spoof information that I can see in the Meraki Dashboard.

Question:

How can I modify my script to correctly retrieve rogue SSIDs and spoof information from the Meraki API?
Are there specific fields or endpoints I should be focusing on to get the same level of detail that appears in the Dashboard?

Any guidance or suggestions would be greatly appreciated. Thank you!

PhilipDAth

I don't know the answer, but what a well-laid out question!

Kevin_R

Hello @oubi,

The API call presented in the script does return rogue SSID information, but it does not mark it as a "rogue SSID" by name in a returned field. Instead you will need to rely on the definition of what a rogue SSID is in order to filter the returned information to find rogue SSIDs.

A rogue AP is an AP seen broadcasting a SSID but that is also connected to the LAN. Meraki APs in the network will see the MAC address and record it on the Wireless > Monitor > Air Marshal page. The Air Marshal API call returns a field for "wiredMacs", which if the SSID is not a rogue SSID, it will show []. If the SSID is a rogue SSID, the field will be returned with the MAC address(es) seen on LAN. You could use the "wiredMacs" not being [] to filter the provided JSON output to show rogue SSIDs.

Additionally, the API call in use will return information about SSID spoofs that exist in the network, albeit in a roundabout fashion. A SSID spoof is another device broadcasting the same SSID name that exists in the Meraki wireless environment, but is not detected on the LAN by Meraki APs. You can filter the returned JSON results from the API call to see if there are any matches for your own SSID names. Anything that shows up as a match would be a SSID spoof, as seen in Air Marshal.

AP spoofs however, will require a different API call. A spoofed AP would be reported as using the same MAC as a Meraki AP in the network, and the Air Marshal API call in use does not report device MAC addresses. Instead you could use the Network Events API call: https://developer.cisco.com/meraki/api-v1/get-network-events/ and filter for the includedEventTypes of "mac_spoofing_attack" for a given timespan. The results should match what is reported in Air Marshal, but the events will be for each instance that is seen (which could be multiple times if APs are repeatedly seeing the same AP spoof). But you could group the output from the events API call by MAC to match what Air Marshal provides on Dashboard.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.

John_on_API

In addition to @Kevin_R's advice, AirMarshal SSIDs, rules and settings are all queryable via API: https://developer.cisco.com/meraki/api-v1/search/?q=airmarshal

oubi

Hello and thank you for your prompt and detailed responses.

After testing a deauthentication attack and reviewing the Meraki Dashboard, I noticed that the dashboard already provides comprehensive information - attack could be seen in Spoofs and even Malicious Broadcast. My main goal now is to efficiently identify if there are any new Rogue SSID, Spoof, Malicious Broadcast, or Packet Flood events without resorting to overly complex scripts that filter through extensive logs.

Given this context, what would be the most efficient approach to gather this specific information? I'm looking for a streamlined method, possibly through a targeted API call or a specific event filter, to alert me of these occurrences without having to manually check the dashboard.

Your guidance on the best practices for achieving this would be greatly appreciated. Thank you!

Kevin_R

Hello oubi,

Unfortunately what I had provided before will likely be necessary to obtain rogue AP or spoof SSIDs information. We do not have a more targeted API call or else I would have provided that as a response instead (or you may have found it too). The getNetworkEvents API call would contain the same information as found in the Network-wide > Monitor > Event log and does record some additional Air Marshal events that are not found from the getNetworkWirelessAirMarshal API call. All available event types that a provided network can be filtered for can be found using this API call: https://developer.cisco.com/meraki/api-v1/get-network-events-event-types/.

And searching the output for a wireless network for "air marshal" should show the following 9 options:

{
    "category": "Air Marshal",
    "type": "device_packet_flood",
    "description": "Single endpoint packet flood"
  },
  {
    "category": "Air Marshal",
    "type": "packet_flood",
    "description": "Access point / client flood"
  },
  {
    "category": "Air Marshal",
    "type": "bcast_deauth",
    "description": "Broadcasted deauthorizations"
  },
  {
    "category": "Air Marshal",
    "type": "mac_spoofing_attack",
    "description": "Access point spoof"
  },
  {
    "category": "Air Marshal",
    "type": "bcast_deauth_attack",
    "description": "Under containment"
  },
  {
    "category": "Air Marshal",
    "type": "bcast_disassoc_attack",
    "description": "Under containment"
  },
  {
    "category": "Air Marshal",
    "type": "bcast_disassoc",
    "description": "Broadcasted disassociations"
  },
  {
    "category": "Air Marshal",
    "type": "rogue_ap_association",
    "description": "Rogue access point association"
  },
  {
    "category": "Air Marshal",
    "type": "device_containment",
    "description": "Endpoint Containment"
  }

You can also enable alerting from the Network-wide > Configure > Alerts page for a given network for when "A rogue access point is detected". Additionally you can enable SSID alerting within Air Marshal too: https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal#SSID_Alerting (these are provided in reference to your comment about wanting to be alerted by occurrences seen in Air Marshal).

I would also recommend using the "Give your feedback" button on the lower right corner of any Dashboard page to ask that additional Air Marshal API calls be added to target other pages viewable on Dashboard.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.

Meraki Community

Retrieving Rogue SSIDs and Spoof Information Using Meraki API

Retrieving Rogue SSIDs and Spoof Information Using Meraki API