Recently we have been experiencing weird behaviour on some WIfi clients when connecting to our Network. As soon as they connect, after a few seconds they got disconnected. No credentials, signal, blacklist ,... issues here.
Checking Air Mashall i've noticed a Hidden rogue SSID that is broadcasting a good amount of MACs through all channels on 2.4 and 5 Ghz .
The fact that was bugging me is that the Wired MAC matches with a Client Imac ( that has an Atheros Chipset) , so seems that the client is acting as an antenna rather than a client.
Can it be a Wifi- PineApple device or am i totally off about this and there is nothing weird about that Rogue SSID entry?
Air Marshal is a little buggy in the sense that if a mobile device like an Android or iPhone connects to your wireless, then disconnects, and starts to broadcast its own internal HotSpot, it will show it as a rogue 'seen on LAN'. Obviously its not true.
However, the mac address 02:9f:c2 matches Ubiquiti gear.
The fact that it is showing it on VLAN 172, to me at least, means you have old Ubiquiti gear on your network. I would very much look into tracking these down if those are no longer in use. Its very possible that your clients still have configurations for that old gear and they are flip flopping between the old network and the new.
The signal seems VERY strong, so they should be very close to your Meraki gear (within like 15 feet I would say).
I'm fairly certain that the reason why its showing up as a rogue is because its being 'seen on LAN'. That is the 'trigger' for it being there.
As for the 184 part, if you click on that entry it will expand so you can see what the entire list is. A good chuck will be your own Meraki gear. I see 239 'other ssid' in my building, all the neighboring networks etc., people driving by with hotspots. But at the top is HIDDEN showing 309. Also on all the channels.
Granted my list is sitting in the Other SSID column, not Rogue, but I think because you have all that other existing gear on your network its all adding up.
The things I worry about are when I see an actual rogue on the LAN, and if there is someone spoofing. Otherwise I'm not sure if I would worry too much about what your seeing with the hidden portion.
I apologize for resurrecting this old post, but did anyone ever figure out what the issue was?
I basically have the same issue. A rogue AP with a hidden SSID, showing 2100 different broadcast MACs. This AP has been seen by almost all our APs across 4 floors. There are 2 wired MACs one for Meraki and the other for a users iMac. I checked the iMac, sharing is turned off, we also completely disabled the wifi and the rogue AP is still there.
I am out of ideas and am starting to wonder if its the Merakis themselves.