Our SSIDs are being "blocked"/contained

timob121
Here to help

Our SSIDs are being "blocked"/contained

After several days of troubleshooting I have determined our existing SSIDs are being blocked/contained by an outside device. Assuming a wireless controller that a Network Admin updated to block our SSIDs in their space which is now affecting our SSIDs.  

 

To confirm that our existing SSIDs are being blocked I by creating a new SSID and was able to connect without issue. All the current SSIDs will associate, get an IP and then disassociate after a few seconds. The problem is not a Rouge AP as we do not seeing any mac impersonation or bogus SSID using the same name. 

 

I have reach out to the Property Manager to ask to tenants who made changes late last week to their Wireless Network. I'm wondering if I can see any information on packet tracer to clue in which device is causing things? I have reviewed Package Tracer but don't see anything which could assist us in finding out where it is coming from. Can I see the mac address or anything else from offending device which is causing this issue using Packet Tracer?

4 REPLIES 4
Brash
Building a reputation

It sounds like your clients are getting de-authorized.

Wireshark would be a good place to start to see who is sending the client the deauth.

 

There's other tools (both paid and open source) out there which dig further into WiFi analysis.

You should be able to find some with a few google searches and checking some forums.

I can't personally vouch for any as I've never had to use anything more than Wireshark.

rbnielsen
Head in the Cloud

I was once sent out on an assignment, where the customer was experiencing a de-auth attack. All their clients were being de-authed, experiencing bad WiFi.

 

We fired up Wireshark, filtered for culprit BSSID only, and then went hunting. By walking in whatever direction where we saw the receive signal strength of the packet increasing we finally found one of the culprit APs.

After asking around about who owned the AP, and the threatening to knock it down with a baseball bat, we found out one of the office buildings tenants had been messing around with Meraki Air Marshall settings, they didn’t quite know what did.

 

The only tools we used was Wireshark and I think three NICs in monitor mode scanning channels 1, 6 and 11. One NIC should be sufficient.

KarstenI
Kind of a big deal


@rbnielsen wrote:

... to knock it down with a baseball bat


Could have been a successful YouTube video ... 😀

I am not seeing de-auth just constant authentication/reassociations 

 

The part I don't understand is I would have assume I'd see a Frame with a MAC of the offending device. WireShark as far as I see (looked at the output for hours) only provided IPs/MAC of just our Network devices. 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.