Hey Meraki Community,
I have a feeling there is a simple explanation here but want to ask the gurus. Customer asks me what the 293 hidden SSIDs are showing up under the Rogue. I checked and indeed Meraki states these are recently seen on the LAN. However none of the MAC addresses show up in the Meraki client list.
I am calling Meraki support and doing a packet capture now to try and figure out what these are.
Any have any idea? I checked other customers and it seems this is somewhat common, and even though we have it set to block rogue SSIDs these are showing up uncontained. Feels like they are mobile phones just doing stuff they probably always do but we never know.
@IT_Magician : A “hidden SSID” on the Air Marshal page is an SSID name that is not included in the beacons and probe responses for a particular BSSID. These can usually be ignored during common network operation, and are unlikely to result in noticeable RF interference. Administrators may specify the same allow list, contain, alert, uncontained rules for BSSIDs contributing to the hidden SSID's seen by selecting the Hidden row and selecting the Broadcast MAC to apply the rule to.
https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal
@Inderdeep thank you for the response. What I am struggling to wrap my head around is, why are these showing up under the ROGUE SSID section with the reason "Rogue because recently seen on the LAN"? This reads that 294 devices on our LAN are broadcasting hidden SSIDs.
Why not just move all of these SSIDs under the "Other SSIDs"? That is my specific question here, is this a security threat, and if it isn't a security threat, why does Meraki state these are rogue SSIDs because they were recently seen on the LAN?
@IT_Magician : These are seems to be mesh SSID. Check if you can disable it under Network-wide > General.
I appreciate your response, but that isn't the direction we are trying to go. I am on with Meraki support but they are also unsure at the moment.
The question is, Meraki is saying these 293 MAC addresses are rogue because they were recently seen on LAN. But those clients are not on the client list. My gut says this isn't a security issue but I am not going back to my client with a feeling, I want to give them some facts.
I have rarely seen this issue occur because one Meraki AP sees another Meraki AP as a rogue. Rarely. When it has happened, rebooting all the APs at the same time has resolved it.
You need to know what "seen on lan" means.
Did you find out the cause??
According to the documentation, it seems to be "seen on LAN" when the client has a wired connection and SSID broadcasting together.
Share your progress on how you are solving it