Air Marshal - Rogue AP detected

pavan_1379
Comes here often

Air Marshal - Rogue AP detected

Hello,

 

I am seeing Air Marshal Rogue AP detected notifications frequently. Please explain why we are receiving these notifications. We are using MR33 access points

8 Replies 8
kYutobi
Kind of a big deal

It can usually be anything from the radios picking up wifi networks near you or even someone with a hotspot from their phone. I usually look at it from time to time but it's doing what it is suppose to. If Air Marshal is enabled on all AP radios anytime an AP detects it is just trying to tell you something is broadcasting nearby.

Enthusiast
NolanHerring
Kind of a big deal

Can you provide a screenshot of your Air Marshal page please.

If there is a nearby network broadcasting, and your MR33 hear/see it, then it will show up as 'other SSID'

If something is showing up as Rogue SSID then most likely it is a false positive, this is due to things like MacBooks having that 3rd radio that allows ad-hoc connections, so you'll see DIRECT-* frequently, or if a device like a cell phone is on your network, then leaves, and turns on his own hotspot, then the system will think it was 'Seen on LAN' but it really isn't. Things like that.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
pavan_1379
Comes here often

Hello Nolan,

 

Please find the below screenshot.

 

pavan_1379_0-1583295264182.png

 

MerakiDave
Meraki Employee
Meraki Employee

Hp @pavan_1379 go into the AirMarshal page and into the Rogue APs tab and then click into that 9N_F22B rogue AP, and you should at least see a MAC address, then go to Network Wide > Clients and search on the MAC, see if you can get a little more information about what device is broadcasting that SSID and where it is connected into your LAN and you can also see which AP is detecting its presence.  You might also be seeing devices such as printers that are connected into a wired Ethernet port, but the wireless function is typically on by default and should probably be disabled if the printer is wired.  Also, if mobile devices have been connected to the wifi and subsequently enable a mobile hotspot that can trigger a rogue AP in the logs. It may also be a legitimate AP but part of another system, perhaps during a migration or whatever other reason.  There are other reasons but those are some of the common ones.  Hope that helps!

PhilipDAth
Kind of a big deal
Kind of a big deal

Any chance you have other non Meraki APs in your environment with the same SSID configured?

Gareth_
Conversationalist

Hi in our organisation we have recently rolled this equipment out on our dozen sites.

 

I have been tasked with investigating what these rogue AP' are and they seem to all start with "DIRECT-"

 

I appreciate this is a false alarm and not to waste energy on it. However we would like to know what they are particularly devices or radio chips so that we can ignore them but also advise our users (i.e. devices might not meant to be in the corporate environment etc).

 

It could be hotspot/tethering, I just want to know what sleuth steps to begin with as the description in the Meraki console is not really helpful other than maybe providing a MAC address.

 

What tips can you give? Many thanks

G

NolanHerring
Kind of a big deal

@Gareth_ 

 

See here:

 

https://community.meraki.com/t5/Wireless-LAN/Air-Marshall-Rogue-SSID-s/td-p/39859

 

I recommend you simply whitelist it as such:

 

1111.PNG

 

 

Nolan Herring | nolanwifi.com
TwitterLinkedIn
Gareth_
Conversationalist

Awesome, thank you for the info @NolanHerring \o/

Get notified when there are additional replies to this discussion.