Meraki Community

jctech2025

Hi All,

I didn't think about this until now about asking the community. Our client has a location that we get alerts for all the time for rogue access points being detected and contained. When we can get alerts it says the SSID that was broadcasted, however when I check the dashboard there is nothing there about the AP. Few questions:

The rogue aps need to be physically connected to the network by Ethernet?

Can they be connected to any live Ethernet outlet in the building?

Each device has its own Mac, do I don't see how you can impersonate another?

I have read several articles about this, and I'm trying to understand better what to look for. I see the alerts at least several times a month. I hope this all makes sense as I'm trying to get the alerts to stop legitimate or not. Annoying, however the alerts wouldn't be firing if something was triggering, thoughts?

Thanks

alemabrahao

Not necessarily, Rogue is any access point that is not part of your infrastructure.

What many don't understand is that not all Rogue is malicious and they end up creating policies that end up interfering in neighboring networks.

My suggestion is to create a policy for specific cases, for example, if you are using an SSID with the same name as the one configured on your network.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

alemabrahao

This is a good article to read.

https://meraki.cisco.com/blog/2017/09/rogue-access-point/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

jctech2025

So we have policies in place that for example if an SSID matches "xxxxx", then contain it. Much of the time, I am seeing like Xfinity or Roku in the SSID. So Rogue is any AP that is not managed by and assigned to us by Meraki? What I'm trying to do, is find out where the device/s is/are being plugged in and find out what they are. There hasn't been any complains about anything malicious, I'm just trying to figure out what is trowing the alerts.

alemabrahao

It could be your neighbor's Access Point, for example. So the access point may not be directly connected to your infrastructure.

Be careful when containing access points, you may be legally liable for these actions.

The right thing to do would be to monitor the ports on your switches. One way to resolve the issue of someone connecting something to your network without authorization is to implement security features on switches, such as port security and port authentication.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

jctech2025

I read the blog/article you posted. So it does mention the BSSID of the broadcast and the BSSID of the physical connection to the network is compared to see if there is a partial match.

So it does have to be a device physically connected (Ethernet) for this to happen? Unless I'm reading it wrong. So I'm wondering if it needs to be physically connected to the main switch on the network or any live port?

This is so confusing. Every BSSID is unique.

Ryan_Miles

Yes, to be classified as a Rogue in Air Marshal we need to see it both from the wireless and wired sides of the network. This doc goes into the details on the criteria for MAC address matching https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal#Rogue_SSIDs_2

That same section also mentions the other requirement which is that the detecting AP needs to be connected to a trunk switchport with all VLANs.

Ryan / Meraki Solutions Engineer

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

alemabrahao

This is partially true, rogue is any access point that is not part of the infrastructure, even if not connected to the network.

For example, if I configure an AP with the same SSID name as your infrastructure, it will be considered malicious, but it does not need to be directly connected to the network.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

alemabrahao

A Rogue Access Point is defined as any wireless Access Point that are not part of the network. It might be operating on the same or an adjacent frequency, occupying the spectrum, raising the noise level (co-channel or adjacent interference) and may or may not be a security risk (unclassified, friendly or malicious Rogues).

Mostly probably its the nearby external APs(from other vendors or other companies).

Rogue Management in an Unified Wireless Network: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112045-hand...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

alemabrahao

The concept is actually quite simple. Rogue AP and any ap that is not part of your infrastructure, even if it is not directly connected to your network, but that does not mean it is malicious.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

jctech2025

When you mention the trunk switchport, you referring to the doc you just posted? Making sure I'm looking at the right context. Thanks.

Meraki Community

Rogue Accèss Points

Rogue Accèss Points