Hi All,
I didn't think about this until now about asking the community. Our client has a location that we get alerts for all the time for rogue access points being detected and contained. When we can get alerts it says the SSID that was broadcasted, however when I check the dashboard there is nothing there about the AP. Few questions:
The rogue aps need to be physically connected to the network by Ethernet?
Can they be connected to any live Ethernet outlet in the building?
Each device has its own Mac, do I don't see how you can impersonate another?
I have read several articles about this, and I'm trying to understand better what to look for. I see the alerts at least several times a month. I hope this all makes sense as I'm trying to get the alerts to stop legitimate or not. Annoying, however the alerts wouldn't be firing if something was triggering, thoughts?
Thanks
This is a good article to read.
https://meraki.cisco.com/blog/2017/09/rogue-access-point/
So we have policies in place that for example if an SSID matches "xxxxx", then contain it. Much of the time, I am seeing like Xfinity or Roku in the SSID. So Rogue is any AP that is not managed by and assigned to us by Meraki? What I'm trying to do, is find out where the device/s is/are being plugged in and find out what they are. There hasn't been any complains about anything malicious, I'm just trying to figure out what is trowing the alerts.
I read the blog/article you posted. So it does mention the BSSID of the broadcast and the BSSID of the physical connection to the network is compared to see if there is a partial match.
So it does have to be a device physically connected (Ethernet) for this to happen? Unless I'm reading it wrong. So I'm wondering if it needs to be physically connected to the main switch on the network or any live port?
This is so confusing. Every BSSID is unique.
Yes, to be classified as a Rogue in Air Marshal we need to see it both from the wireless and wired sides of the network. This doc goes into the details on the criteria for MAC address matching https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal#Rogue_SSIDs_2
That same section also mentions the other requirement which is that the detecting AP needs to be connected to a trunk switchport with all VLANs.
This is partially true, rogue is any access point that is not part of the infrastructure, even if not connected to the network.
For example, if I configure an AP with the same SSID name as your infrastructure, it will be considered malicious, but it does not need to be directly connected to the network.
A Rogue Access Point is defined as any wireless Access Point that are not part of the network. It might be operating on the same or an adjacent frequency, occupying the spectrum, raising the noise level (co-channel or adjacent interference) and may or may not be a security risk (unclassified, friendly or malicious Rogues).
Mostly probably its the nearby external APs(from other vendors or other companies).
Rogue Management in an Unified Wireless Network: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112045-hand...
The concept is actually quite simple. Rogue AP and any ap that is not part of your infrastructure, even if it is not directly connected to your network, but that does not mean it is malicious.
When you mention the trunk switchport, you referring to the doc you just posted? Making sure I'm looking at the right context. Thanks.