Understanding rogue SSID and blocking

Stefano1
Comes here often

Understanding rogue SSID and blocking

Hi,

 

I have difficulties to understand "rogue SSIDs" (not rogue access points). Maybe someone can help.

 

In my company we have two "regular" SSIDs, managed by Meraki, lets say "Company1" and "Company2". At the same time we have some other devices broadcasting SSIDs, for example our cableless conference room systems. This SSID is named "ConfRoom1", and it is detected by Meraki . My questions are:

 

1. Is this one a "rogue" SSID in terms of Meraki?

2. What happens if I tell meraki to "block" this SSID, will clients connected to Meraki be prevented from connecting to this SSID also?

3. If yes: How could Meraki tell a client "If you are connected to my own SSIDs you are not allowed to connect to another SSID"?

4. Is "blocking" the same as "containing"?

 

Finally my goal is to allow an iPad (e.g.) to connect to a Meraki SSID and to ConfRoom-SSID at the same time.

 

Hope, that someone finds a little time to help.

 

Thanks and regards,

Stefano

 

13 REPLIES 13
alemabrahao
Kind of a big deal
Kind of a big deal

A Rogue Ssid is all Ssid that does not belong to its Wireless infrastructure but does not mean it is a malicious SSID, for example, a neighboring company is considered a Rogue Ssid, I don't know if you understand.

Follow the documentation to complement.

 

https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Hi Alemabrahao,

 

thanks for the link, but this document is exactly what causes confusion. Meraki does specify "rogue SSID" as every SSID, that is not being broadcasted by itself. So if I select "Block clients from connecting to rogue SSIDs by default", Meraki clients will not be able to connect to our Conf Room System. Should I then add a whitelisting for this particular SSID? And how can an access point forbid a client to connect to other SSIDs (if that is the purpose of "blocking")? Isn't it an autonomous decision by every client, which SSID to connect to?

 

Thanks again and regards,

Stefano

In fact this is a resource that should be used if in fact there is someone who wants to do some kind of spoofing or DDOS, otherwise you can respond legally.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Warning: Care should be taken when configuring SSID block list policies as these policies will apply to SSIDs seen on the LAN as well as off of the LAN from neighboring WiFi deployments. Containment can have legal implications when launched against neighbor networks, and it may harm your own network by increasing channel utilization and potential disrupt clients connecting to your APs. Ensure that the rogue device is within your network and poses a security risk before you launch the containment. 
Review the section Overview of Air Marshal Containment to understand how the APs may block the configured SSIDs.

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Hello,

 

sorry, I still have difficulties in understanding. I still don't know who blocks which device *when* blocking is used.

 

1. Why would a block list apply to SSID that are seen "on the LAN"? Does that mean you are blocking SSIDs sent from your own APs?

 

2. How to block SSIDs from neighbors? Is my Meraki AP able to tell a cell phone "If you see the SSID 'Bad_Neighbor_Company', do not connect"?

 

3. There are no "rogue devices" in our neighborhood. Usually there are legitimate wifi signals from others (parked cars, neighbor wifi, etc.) and our own non-Meraki devices (e.g. soundbars). But our employees can't connect to those SSIDs anyway because they don't know the credentials and because their phones automatically connect to the company SSID they already know. What exactly would be the gain of blocking "rogue" devices/SSIDs?

 

Thank you very much for your efforts!

 

With kind regards
Stefano

PhilipDAth
Kind of a big deal
Kind of a big deal

>Why would a block list apply to SSID that are seen "on the LAN"?

 

For this to happen, someone has to have connected up another AP not part of your infrastructure and created a security whole in the network.

 

>How to block SSIDs from neighbors?

 

If you are referring to people who operate WiFi networks other than yours - and you configure blocking against them - you will be breaking the law.

 

>Is my Meraki AP able to tell a cell phone "If you see the SSID 'Bad_Neighbor_Company', do not connect"?

 

What it can do is send a de-authentication messages to the cell phone, as though it came from the SSID you don't want it to connect to, and it will disconnect.

 

Hi Philip,

 

this makes it clearer to me.

 

>What it can do is send a de-authentication messages to the cell phone...

 

Ok, that's the mechanism to block or contain a SSID, it's obvious that you should be sure that this SSID is "rogue" before blocking it.

 

>For this to happen, someone has to have connected up another AP not part of your infrastructure and created a security whole in the network.

 

Could you please elaborate this a bit more? Is it like someone installs an unwanted AP and sends out my own SSID to spoof clients? As far as I can see I could not contain this SSID since it is legitimate, only the AP is "rogue".

 

Thanks a lot for your efforts, Philip...

 

Regards,

Stefano

A rogue access point is an access point (AP) that has been installed on a secure network without authorization from a system administrator. Rogue APs pose a security threat because anyone with access to the premises can install a wireless AP that can allow unauthorized parties to access the network.

 

Use the Rogue AP Detection page to enable your device to display information about all APs detected by the device in the vicinity of the network. If the access point listed as a rogue is actually a legitimate access point, you can add it to the Authorized AP Table

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

>What happens if I tell meraki to "block" this SSID, will clients connected to Meraki be prevented from connecting to this SSID also?

 

Not quite - everyone - a Meraki user or not - will be blocked from connecting to the SSID.

 

>What happens if I tell meraki to "block" this SSID, will clients connected to Meraki be prevented from connecting to this SSID also?

 

You will have to do this using whatever device management platform you use.  For example, if you have Windows machines, you can use an AD group policy to prevent users from connecting to certain SSIDs.

 

>Finally my goal is to allow an iPad (e.g.) to connect to a Meraki SSID and to ConfRoom-SSID at the same time.

 

This will be the behaviour if you change nothing.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Finally my goal is to allow an iPad (e.g.) to connect to a Meraki SSID and to ConfRoom-SSID at the same time.

 

One point of clarification - a device can only connect to a single SSID at a time.  A device can not connect to two different SSIDs simultaneously.

> Not quite - everyone - a Meraki user or not - will be blocked from connecting to the SSID.

 

Ok, that does mean, that Meraki is sending a sort of interference signal?

 

> ...you can use an AD group policy to prevent users from connecting to certain SSIDs.

 

I was not aware of any need for this. I always thought you handle this with hiding of SSIDs or with handing out credentials only for the wanted SSIDs. But yes, for mobile computers with Windows this makes sense.

 

> a device can only connect to a single SSID at a time

 

This of course is perfectly right. 🙂

 

Thanks for your efforts,

Stefano

PhilipDAth
Kind of a big deal
Kind of a big deal

>Ok, that does mean, that Meraki is sending a sort of interference signal?

 

It sends a de-authentication request to the client trying to connect to the rouge SSID.

BlakeRichardson
Kind of a big deal
Kind of a big deal

Nice work @PhilipDAth !

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels