Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Possible SSID Spoof from Client device.

MAG
Here to help
‎Nov 5 2018 1:29 AM
‎Nov 5 2018 1:29 AM

Possible SSID Spoof from Client device.

Hi All,

Recently we have been experiencing weird behaviour on some WIfi clients when connecting to our Network. As soon as they connect, after a few seconds they got disconnected. No credentials, signal, blacklist ,... issues here.

 

Checking Air Mashall i've noticed  a Hidden rogue SSID that is broadcasting a good amount of MACs through  all channels on 2.4 and 5 Ghz .

The fact that was bugging me is that the Wired MAC matches with a Client Imac ( that has an Atheros Chipset) , so seems that  the client is acting as an antenna rather than a client.

 

Can it be a  Wifi- PineApple device  or am i totally off about this and there is nothing weird about that Rogue SSID entry?

Please check the image ...

Anyone can give me any educated guess about it ? 

Thanks a lot .

 

Screen Shot 2018-11-05 at 10.07.47.png

0 Kudos
Subscribe
5 Replies 5
NolanHerring
Kind of a big deal
‎Nov 5 2018 7:16 AM
‎Nov 5 2018 7:16 AM

Air Marshal is a little buggy in the sense that if a mobile device like an Android or iPhone connects to your wireless, then disconnects, and starts to broadcast its own internal HotSpot, it will show it as a rogue 'seen on LAN'. Obviously its not true.

However, the mac address 02:9f:c2 matches Ubiquiti gear.

The fact that it is showing it on VLAN 172, to me at least, means you have old Ubiquiti gear on your network. I would very much look into tracking these down if those are no longer in use. Its very possible that your clients still have configurations for that old gear and they are flip flopping between the old network and the new.

The signal seems VERY strong, so they should be very close to your Meraki gear (within like 15 feet I would say).
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Subscribe
In response to NolanHerring
MAG
Here to help
‎Nov 5 2018 7:41 AM
‎Nov 5 2018 7:41 AM

Hi Nolan,

Thaks for your comments !!

That VLAN 172 is the one where all the Wifi devices are assigned ( on one specific floor of our company) .

It is true that that MAC is from Ubiquity but there is also 184 other broadcasted MAC's, is that normal ?? 

The only Ubiquity devices on the building are on a different network, 3 floors below, but .....the device with that Wired MAC is right next to the Meraki AP .

 

To me  seems that the "device" is spoofing different existing  SSID MAC's by broadcasting them onto any available channel ...

 

Any other insights ?

0 Kudos
Subscribe
In response to MAG
NolanHerring
Kind of a big deal
‎Nov 5 2018 8:04 AM
‎Nov 5 2018 8:04 AM

I'm fairly certain that the reason why its showing up as a rogue is because its being 'seen on LAN'. That is the 'trigger' for it being there.

As for the 184 part, if you click on that entry it will expand so you can see what the entire list is. A good chuck will be your own Meraki gear. I see 239 'other ssid' in my building, all the neighboring networks etc., people driving by with hotspots. But at the top is HIDDEN showing 309. Also on all the channels.

Granted my list is sitting in the Other SSID column, not Rogue, but I think because you have all that other existing gear on your network its all adding up.

The things I worry about are when I see an actual rogue on the LAN, and if there is someone spoofing. Otherwise I'm not sure if I would worry too much about what your seeing with the hidden portion.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Subscribe
Topliffej
New here
‎Jun 25 2019 7:36 AM
‎Jun 25 2019 7:36 AM

I apologize for resurrecting this old post, but did anyone ever figure out what the issue was?

I basically have the same issue.  A rogue AP with a hidden SSID, showing 2100 different broadcast MACs.  This AP has been seen by almost all our APs across 4 floors.  There are 2 wired MACs one for Meraki and the other for a users iMac.  I checked the iMac, sharing is turned off, we also completely disabled the wifi and the rogue AP is still there.

 

I am out of ideas and am starting to wonder if its the Merakis themselves.

0 Kudos
Subscribe
In response to Topliffej
Iain_Scott
Comes here often
‎Feb 28 2020 8:23 AM
‎Feb 28 2020 8:23 AM

we have an iMac showing as a rouge AP too with 46 mac addresses, I've also checked sharing and the WiFi settings with no suspects found, did you get to the bottom of it?

 

I wonder if it is a false positive!

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.