How can we test rogue SSID in Meraki air-marshal

Air-Marshal
Comes here often

How can we test rogue SSID in Meraki air-marshal

Would like request to you please help us to know the best testing scenario for rogue AP detection by Air-Marshal (from Meraki stand-points), how can we test if Air-Marshal detect rogue AP

7 REPLIES 7
KarstenI
Kind of a big deal
Kind of a big deal

Just configure a non-Meraki AP with the same SSID that you use in your network and place that device near your Meraki-AP.

Thanks for revert, 

can you please clarify what procedure Air-marshal take to detect rogue AP, please refer below snapshot and clear our queries.

Air-Marshal_0-1605791121701.png

 

1. Is someone plug other AP into our network then it detects?

2. If unknown AP (whether Meraki or non-Meraki) connected our LAN and get IP from internel DHCP then it detects?

3. The meraki access switches or ports can sense if its non-meraki AP?

4.  If it is meraki ap but not yet claimed in the dashboard then it detects as rogue AP?

 

Please help to clear our queries, thanks.

ww
Kind of a big deal
Kind of a big deal

Hi, this shows what meraki detects:

https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal#Wireless_Threats

 

Rogue SSID seen on LAN: SSIDs that are broadcast by rogue APs and seen on wired LAN; this could suggest compromise of the wired network." 

 

But its most likely a client using some kind of screen mirroring  or someone set up a hotspot.

 

1) if its broadcasting, yes

2) if its broadcasting, yes

3) i would say yes but it does not act on this.

4) not sure, but i think if its broadcasting, yes

Air-Marshal
Comes here often

Hi,

If Air-Marshal detected any rogue AP in our LAN so what procedure (excluding below procedure ) should we take for overcome/mitigate them .

 

contain

Whitelist 

Blacklist

Alert

Uncontain

 


@Air-Marshal wrote:

Hi,

If Air-Marshal detected any rogue AP in our LAN so what procedure (excluding below procedure ) should we take for overcome/mitigate them .

 

contain

Whitelist 

Blacklist

Alert

Uncontain

 


Procedures other than the mentioned? Find the user that connected the AP to the LAN and make sure he understands his mistake. Make sure not to have any witnesses around, and clean up mess afterwards.

kYutobi
Kind of a big deal

Or you can create a hotspot as well. 

Enthusiast

Can you have more testing scenarios for rogue APs creation in our network, those can be detected by Meraki Air-Marshal, as earlier you suggested "for configuring a non-non-Meraki AP with the same SSID that we use in our network and place that device near our Meraki-AP and also we can create a hotspot." 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels