Air Marshall Collisions with Friendly Wireless APs. - How to co-exist?

SOLVED
nClarity_2023
Comes here often

Air Marshall Collisions with Friendly Wireless APs. - How to co-exist?

We deploy a large number of cellular wireless gateways as part of our IOT solution, which operates on rooftops and outdoor spaces to collect IOT data on building equipment.  

 

We are finding that in some cases, an unknown Air Marshall is shutting down our networks using disassociation packets, causing our wireless clients to constantly disconnect / reconnect.   

 

How can we co-exist with Air Marshalls?  How do we find out who they are?  I know about white-listing, but that means you need to know who is running the air marshall and contact them.    

 

What about hidden networks?  e.g. if we deploy in a hidden fashion, will the Air Marshall still detect them and shut us down?  

1 ACCEPTED SOLUTION

Note that while Cisco Meraki WiFi has this capability, it is not the only WiFi solution that can do this.

 

https://www.arubanetworks.com/techdocs/Instant_41_Mobile/Advanced/Content/UG_files/IDS/ConfiguringWI...

 

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112045-hand...

 

 

You could also simply be experiencing a disassociation attack or someone running a honey pot attack to try and steal data.  Are there any APs that are not yours broadcasting the same SSID as what you are using?

 

Your best defence against all these issues is to use 802.11w (protected management frames) and make sure all your devices also support this.  If you don't, the magnitude of your problem will grow as your rollout gets bigger.

 

View solution in original post

16 REPLIES 16
RaphaelL
Kind of a big deal
Kind of a big deal

Hi ,

 

Is it set to 'Allow clients to connect to rogue SSIDs by default' ?

That feature is borderline illegal almost everywhere in the world anyway

 

RaphaelL_0-1687906796556.png

 

nClarity_2023
Comes here often

In our situation, we have cellular wifi gateways with a predefined SSID.   Our IOT clients have a predefined SSID to connect to the cellular gateway.    What we observe is that a neighboring Meraki Air Marshall takes us down.   We've made no attempt to connect to the Air Marshall's host network.   We have no defense against the Air Marshall (or so it seems)

I'm wondering if we "stay hidden" if the Air Marshall will detect us.  

In that case there is nothing to do but try to find out who your neighbor is and try to talk to him.

Good luck.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

If you use MFP (802.11w) you won't get de-authed

Please feel free to hit that kudos button
Brash
Kind of a big deal
Kind of a big deal

Merkai AP's can only perform Air Marshal containment (disassociating clients attempting to join a wireless network) if it detects a rogue AP connected on the same wired network - see image below.

 

 

Brash_1-1687911640355.png

 

 

Reference: https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal#Overview_of_Air_Marshal_Con...

 

Other vendors may implement Air Marshalling differently.

 

To better understand your problem, do you have Meraki AP's on your network?
Of if it's someone elses AP's, how did you verify that they are Meraki AP's that are performing the containment?

We do not have a Meraki deployed in our field network.   The issue is that our Cradlepoint networks are being attacked by Meraki Air Marshalls.   In one case, we sent a message to the building IT team about the issue, indicating that we suspected an Air Marshall,  and they whitelisted us in their Air Marshall configuration.

The problem instantly disappeared.   The question is though, why did the Air Marshall start shutting our network down, even though our SSID is a friendly neighbor?  As we deploy across thousands of sites, this issue will grow.

There is nothing we can do for you.

  • You need to try find your neighborhood by your self.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

Does the WiFi side have a PSK?

Hello, thanks for responding.   The IOT client has a PSK.    The client also "retries" automatically if it does not achieve an internet connection.

 

Madhan_kumar_G
Getting noticed

Hi,

 

Please let us know how you arrived at the conclusion that AirMarshal is causing the problem. 

 

A proper Survey using Ekahau tools or other spectrum analyzer tools will give you an idea about the interference caused by other sources.

https://www.ekahau.com/blog/identifying-wi-fi-interference-with-ekahau-analyzer/

 

Also, Your AP signals should be interfering at high RSSI levels to your neighbor devices for them to take action on your network. Are you that much physically close to your neighboring APs.

Hello, thanks for responding.   Here is the behavior we see in our Cradlepoint cellular gateway logs:

 

2023-06-27 09:48:22| INFO| wlankev|Client f8:f0:05:95:65:78 WPA1 key negotiation completed
2023-06-27 09:48:21| INFO| wlankev|Client f8:f0:05:95:65:78 associated
2023-06-27 09:46:51| INFO| wlankev|Client f8:f0:05:95:65:78 WPA1 key negotiation completed
2023-06-27 09:46:51| INFO| wlankev|Client f8:f0:05:95:65:78 associated
2023-06-27 09:45:20| INFO| wlankev|Client f8:f0:05:95:65:78 WPA1 key negotiation completed
2023-06-27 09:45:20| INFO| wlankev|Client f8:f0:05:95:65:78 associated
2023-06-27 09:43:50| INFO| wlankev|Client f8:f0:05:95:65:78 WPA1 key negotiation completed
2023-06-27 09:43:49| INFO| wlankev|Client f8:f0:05:95:65:78 associated
2023-06-27 09:42:19| INFO| wlankev|Client f8:f0:05:95:65:78 WPA1 key negotiation completed
2023-06-27 09:42:19| INFO| wlankev|Client f8:f0:05:95:65:78 associated
2023-06-27 09:40:48| INFO| wlankev|Client f8:f0:05:95:65:78 WPA1 key negotiation completed
2023-06-27 09:40:48| INFO| wlankev|Client f8:f0:05:95:65:78 associated
2023-06-27 09:39:18| INFO| wlankev|Client f8:f0:05:95:65:78 WPA1 key negotiation completed
2023-06-27 09:39:18| INFO| wlankev|Client f8:f0:05:95:65:78 associated
2023-06-27 09:37:47| INFO| wlankev|Client f8:f0:05:95:65:78 WPA1 key negotiation completed
2023-06-27 09:37:47| INFO| wlankev|Client f8:f0:05:95:65:78 associated
2023-06-27 09:36:16| INFO| wlankev|Client f8:f0:05:95:65:78 WPA1 key negotiation completed
2023-06-27 09:36:16| INFO| wlankev|Client f8:f0:05:95:65:78 associated

 

The clients are constantly kicked off the gateway.

nClarity_2023
Comes here often

Here is the Air Marshall configuration warning that states that the Air Marshall can shut down neighboring WiFi deployments.

 

 

 

"Warning: Care should be taken when configuring SSID block list policies as these policies will apply to SSIDs seen on the LAN as well as off of the LAN from neighboring WiFi deployments. Containment can have legal implications when launched against neighbor networks, and it may harm your own network by increasing channel utilization and potential disrupt clients connecting to your APs. Ensure that the rogue device is within your network and poses a security risk before you launch the containment. 
Review the section Overview of Air Marshal Containment to understand how the APs may block the configured SSIDs."

 

nClarity_2023_0-1687971600111.png

https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal#Overview_of_Air_Marshal_Con... 

 

Note that while Cisco Meraki WiFi has this capability, it is not the only WiFi solution that can do this.

 

https://www.arubanetworks.com/techdocs/Instant_41_Mobile/Advanced/Content/UG_files/IDS/ConfiguringWI...

 

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112045-hand...

 

 

You could also simply be experiencing a disassociation attack or someone running a honey pot attack to try and steal data.  Are there any APs that are not yours broadcasting the same SSID as what you are using?

 

Your best defence against all these issues is to use 802.11w (protected management frames) and make sure all your devices also support this.  If you don't, the magnitude of your problem will grow as your rollout gets bigger.

 

Thanks for the good advice and guidance re: 802.11w.

nClarity_2023
Comes here often

Can anyone advise if the Air Marshall will detect hidden networks?

Yes. Also, never use a hidden network on 5 GHz. Clients will struggle as they can’t probe on a DFS channel

Please feel free to hit that kudos button
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels