Meraki

Community

Rogue Accèss Points

jctech2025
Comes here often
‎Jun 19 2024 10:23 AM
‎Jun 19 2024 10:23 AM

Rogue Accèss Points

Hi All,

 

I didn't think about this until now about asking the community.  Our client has a location that we get alerts for all the time for rogue access points being detected and contained.  When we can get alerts it says the SSID that was broadcasted, however when I check the dashboard there is nothing there about the AP.  Few questions:

 

The rogue aps need to be physically connected to the network by Ethernet?  

Can they be connected to any live Ethernet outlet in the building?

Each device has its own Mac, do I don't see how you can impersonate another?

 

I have read several articles about this, and I'm trying to understand better what to look for.  I see the alerts at least several times a month.  I hope this all makes sense as I'm trying to get the alerts to stop legitimate or not.  Annoying, however the alerts wouldn't be firing if something was triggering, thoughts?

 

Thanks

0 Kudos
10 Replies 10
alemabrahao
Kind of a big deal
‎Jun 19 2024 10:35 AM
‎Jun 19 2024 10:35 AM

Not necessarily, Rogue is any access point that is not part of your infrastructure.
 
What many don't understand is that not all Rogue is malicious and they end up creating policies that end up interfering in neighboring networks.
 
My suggestion is to create a policy for specific cases, for example, if you are using an SSID with the same name as the one configured on your network.
 
 
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
alemabrahao
Kind of a big deal
‎Jun 19 2024 10:42 AM
‎Jun 19 2024 10:42 AM

This is a good article to read.

 

https://meraki.cisco.com/blog/2017/09/rogue-access-point/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
jctech2025
Comes here often
‎Jun 19 2024 10:47 AM
‎Jun 19 2024 10:47 AM

So we have policies in place that for example if an SSID matches "xxxxx", then contain it.  Much of the time, I am seeing like Xfinity or Roku in the SSID.  So Rogue is any AP that is not managed by and assigned to us by Meraki?  What I'm trying to do, is find out where the device/s is/are being plugged in and find out what they are.  There hasn't been any complains about anything malicious, I'm just trying to figure out what is trowing the alerts.

0 Kudos
In response to jctech2025
alemabrahao
Kind of a big deal
‎Jun 19 2024 10:57 AM
‎Jun 19 2024 10:57 AM

It could be your neighbor's Access Point, for example. So the access point may not be directly connected to your infrastructure.
 
Be careful when containing access points, you may be legally liable for these actions.
 
The right thing to do would be to monitor the ports on your switches. One way to resolve the issue of someone connecting something to your network without authorization is to implement security features on switches, such as port security and port authentication.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
jctech2025
Comes here often
‎Jun 19 2024 12:16 PM
‎Jun 19 2024 12:16 PM

I read the blog/article you posted.  So it does mention the BSSID of the broadcast and the BSSID of the physical connection to the network is compared to see if there is a partial match.  

 

So it does have to be a device physically connected (Ethernet) for this to happen?  Unless I'm reading it wrong.  So I'm wondering if it needs to be physically connected to the main switch on the network or any live port?  

 

This is so confusing.  Every BSSID is unique.

0 Kudos
In response to jctech2025
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jun 19 2024 1:55 PM
‎Jun 19 2024 1:55 PM

Yes, to be classified as a Rogue in Air Marshal we need to see it both from the wireless and wired sides of the network. This doc goes into the details on the criteria for MAC address matching https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal#Rogue_SSIDs_2

 

That same section also mentions the other requirement which is that the detecting AP needs to be connected to a trunk switchport with all VLANs.

In response to Ryan_Miles
alemabrahao
Kind of a big deal
‎Jun 19 2024 2:30 PM
‎Jun 19 2024 2:30 PM

This is partially true, rogue is any access point that is not part of the infrastructure, even if not connected to the network.

 

For example, if I configure an AP with the same SSID name as your infrastructure, it will be considered malicious, but it does not need to be directly connected to the network.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to Ryan_Miles
alemabrahao
Kind of a big deal
‎Jun 19 2024 2:44 PM
‎Jun 19 2024 2:44 PM

A Rogue Access Point is defined as any wireless Access Point that are not part of the network. It might be operating on the same or an adjacent frequency, occupying the spectrum, raising the noise level (co-channel or adjacent interference) and may or may not be a security risk (unclassified, friendly or malicious Rogues).

 

Mostly probably its the nearby external APs(from other vendors or other companies).

Rogue Management in an Unified Wireless Network: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112045-hand...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to jctech2025
alemabrahao
Kind of a big deal
‎Jun 19 2024 2:34 PM
‎Jun 19 2024 2:34 PM

The concept is actually quite simple. Rogue AP and any ap that is not part of your infrastructure, even if it is not directly connected to your network, but that does not mean it is malicious.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
jctech2025
Comes here often
‎Jun 19 2024 2:04 PM
‎Jun 19 2024 2:04 PM

When you mention the trunk switchport, you referring to the doc you just posted?  Making sure I'm looking at the right context.  Thanks.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.