Meraki

Community

APs should be resilient from badly behaving clients or am I naïve?

nerdherd
Comes here often
‎Oct 10 2023 5:40 PM
‎Oct 10 2023 5:40 PM

APs should be resilient from badly behaving clients or am I naïve?

Hi All,

 

Looking for some advice from those more knowledgeable than I am about wifi standards.

I work in a school, and (shocker!) students dont always behave well.

 

I recently had a student completely shut down an AP (MR54) for as long as he wanted by running a simple python script (thanks chatgpt!) . Details are MR54's in every room, 5ghz radius network using 20mhz channels with clients limited to 20mbit via group policy.

The AP (and only the one AP he was connected to) completely stopped responding to other clients and even the meraki dashboard.  Other clients connected did not switch to other APs in range.  If they tried to force changing to a different AP by turning wifi off and on, they still reconnected to the affected AP since it was the strongest signal but of course got zero data through.

 

The only indication of the problem remotely is that the AP page in the dashboard will not fully load since the AP is not sending data to the dashboard.  There are no errors generated in any log or any way to figure out who the culprit is especially if they are smart enough to not launch the attack the moment they connect.  Fortunately for us, this student bragged to his friends...

 

I raised the issue with meraki support thinking I just didnt have a setting configured properly...but they said since the client was authenticated, this is expected behavior.  No advice on mitigation, defense, nothing.

 

I'm obviously not posting details of the script, but it is not a simple DoS packet flood, but it is all of about 10 lines.

 

I realize since it's an authenticated client, I've let the fox in the hen house, but it still seems to me that an AP of this level should be able to have some sort of defense or ability to contain a badly behaving client (who already has bandwidth limitations in place!).  

 

Is it unrealistic to think that an AP could contain or disconnect/ban a client that is clearly not behaving appropriately? 

Support's response seems really weird to me...either contain the problem with the 20mbit limit or recognize the attack for what it is and disconnect the client.

 

0 Kudos
1 Reply 1
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 10 2023 6:12 PM
‎Oct 10 2023 6:12 PM

Have you checked the Air Marshal feature?

 

https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal

 

I don't know if this will help in this specific case, but it's worth checking out. It would be your best bet.

Packet Floods

Clients or APs that are sending an excessive number of packets to your AP. Packets are monitored and classified based on multiple categories including beacon, authentication and association frames. An excessive number of any category of packets seen within a short time interval will be marked in Air Marshal as a packet flood. 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.