SSID Spoof Logging?

Mat_Version3
Conversationalist

SSID Spoof Logging?

Hi team!

 

Apologies if this has been raised before but I have not found the answer yet. Is there a way for Meraki to notify on an SSID Spoofing Event? I can see in Air Marshal when one is detected but it doesn't appear to be logged in the event log or able to be sent as a specific event notification.

 

Thanks!

4 REPLIES 4
schalabi
Meraki Employee

Mat_Version3,

 

Under the Wireless > Monitor > Air Marshal > Configure page, scroll to the bottom and you'll find SSID alerting, From here, you can Add a match to any SSIDs you wish to be alerted for when a Meraki AP detects a spoofed SSID.

 

Please note that "rogue or Other SSIDs matching these rules (but not a rule in the SSID Allow list) will trigger an email or syslog alert, if configured. Meraki won't prevent clients from connecting to these SSIDs."

 

Don't forget to hit Save!

This rule will trigger all events relating to this SSID though won't it? Is there any way to narrow the alert down to spoof detection only? 

We struggled with this as well.

 

What we ended up doing was just enabling it as @schalabi mentioned, but disabling the e-mail alerts out of AirMarshal/Meraki dashboard. We then built specific rules in our Syslog server (Solarwinds, in our case), to fire e-mail alerts when a spoof syslog was received for a specific SSID.

Thanks @Crocker this was our thinking also moving forward if there is no other choice within the dashboard itself. Appreciate the reply.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.