I have a quick question.
We received an alert that Air Marshall has detected a SSID spoof. This SSID was for our Corp network.
Looking at the detail in Air Marshall all it tells me is that a spoof was detected by one of our MR 32s. The MAC address is listed as 00:00:00:00:00:00.
Is this actually a spoof?
And if it is, how do I know what action the MR32 has taken.
I've had a look around the community and the suggestion is to patch the firmware and/or reboot the AP (which I have done).
ps. The Air marshall page tells me that the Spoof was only seen 52 minutes ago. I can't find any other evidence that it is still out there.
ps. I think I put this in the wrong forum. It should really be in Wireless. Sorry about that.
pps. I don't think is a spoof but that the AP is detecting itself. I've rebooted the AP and so far no more alerts.
One thing our location has been running into a lot with our new computers is Air Marshall seeing a Rouge AP every time someone looks for a new printer. Seems like the new Intel Wireless cards throw out a random-ish SSID for a direct connect, and searching for a printer triggers it. I spent more time then I would like to admit tracking that down.
So I ran into a similar issue with my Juniper equipment when I initially started swapping over to Merakis.
The Junipers had a version of Air Marshall enabled, and were directing de-auth packets at my Meraki network, which the Merakis were picking up as a spoofed version of the network.
Not sure if you have another wireless system co-deployed, but it might be something to investigate.
No one here even knew we had the Juniper Air Marshall enabled... was fun to track down. I used a cell phone and tracked signal strength, and it was strongest near some of the old APs that were still enabled and broadcasting, so then had to dig through settings on the old system.
That's funny as I was just going to make a post about this.
I've seen this for months on the network. It randomly appears during the week, then doesn't get detected for a day or two. I assume this is a false positive then?
When messing around on my home network spoofing I'd normally use 00:00:00:00:00:00 or 11:22:33:44:55:66 as they are easy to type.
Finally got around to put a block in, to block any device with the MAC 00:00:00:00:00:00 yet today, I see the Spoof warning again.
I added the block in Network-Wide, Clients.
Is this a bug then?
Seeing the same at one of our sites.
We have two Meraki MR52s there and admittedly we don't spend a lot of time tuning them. The spoof alerts started last week. I have basically disabled one of the APs and greatly reduced power for the other. Users are happy with the settings, and I'm seeing way less interference on the remaining AP.
The spoof alert only shows up if I try to re-enable the other AP. Any band and any power level and the deauth packets start going out again. I'm going to power off the AP from the switch today and monitor through the rest of the week.