293 Hidden Rogue SSIDs

IT_Magician
Building a reputation

293 Hidden Rogue SSIDs

Hey Meraki Community,

 

I have a feeling there is a simple explanation here but want to ask the gurus. Customer asks me what the 293 hidden SSIDs are showing up under the Rogue. I checked and indeed Meraki states these are recently seen on the LAN. However none of the MAC addresses show up in the Meraki client list.

 

I am calling Meraki support and doing a packet capture now to try and figure out what these are.

 

Any have any idea? I checked other customers and it seems this is somewhat common, and even though we have it set to block rogue SSIDs these are showing up uncontained. Feels like they are mobile phones just doing stuff they probably always do but we never know.

 

IT_Magician_0-1621353160844.png

 

7 REPLIES 7
Inderdeep
Kind of a big deal
Kind of a big deal

@IT_Magician : A “hidden SSID” on the Air Marshal page is an SSID name that is not included in the beacons and probe responses for a particular BSSID. These can usually be ignored during common network operation, and are unlikely to result in noticeable RF interference. Administrators may specify the same allow list, contain, alert, uncontained rules for BSSIDs contributing to the hidden SSID's seen by selecting the Hidden row and selecting the Broadcast MAC to apply the rule to. 

https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
IT_Magician
Building a reputation

@Inderdeep thank you for the response. What I am struggling to wrap my head around is, why are these showing up under the ROGUE SSID section with the reason "Rogue because recently seen on the LAN"? This reads that 294 devices on our LAN are broadcasting hidden SSIDs.

 

Why not just move all of these SSIDs under the "Other SSIDs"? That is my specific question here, is this a security threat, and if it isn't a security threat, why does Meraki state these are rogue SSIDs because they were recently seen on the LAN?

@IT_Magician : These are seems to be mesh SSID. Check if you can disable it  under Network-wide > General.

Inderdeep_0-1621354168167.jpeg

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
IT_Magician
Building a reputation

I appreciate your response, but that isn't the direction we are trying to go. I am on with Meraki support but they are also unsure at the moment.

 

The question is, Meraki is saying these 293 MAC addresses are rogue because they were recently seen on LAN. But those clients are not on the client list. My gut says this isn't a security issue but I am not going back to my client with a feeling, I want to give them some facts.

PhilipDAth
Kind of a big deal
Kind of a big deal

I have rarely seen this issue occur because one Meraki AP sees another Meraki AP as a rogue.  Rarely.  When it has happened, rebooting all the APs at the same time has resolved it.

Snika
Here to help

You need to know what "seen on lan" means.
Did you find out the cause??

Untitled.png

According to the documentation, it seems to be "seen on LAN" when the client has a wired connection and SSID broadcasting together.
Share your progress on how you are solving it

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels