Meraki

Community

Air Marshall Spoof Alert

GavinMcMenemy
Building a reputation
‎Aug 29 2018 6:49 AM
‎Aug 29 2018 6:49 AM

Air Marshall Spoof Alert

Hi,

I have a quick question.

We received an alert that Air Marshall has detected a SSID spoof. This SSID was for our Corp network.

Looking at the detail in Air Marshall all it tells me is that a spoof was detected by one of our MR 32s. The MAC address is listed as 00:00:00:00:00:00.

Is this actually a spoof?
And if it is, how do I know what action the MR32 has taken.

I've had a look around the community and the suggestion is to patch the firmware and/or reboot the AP (which I have done).

ps. The Air marshall page tells me that the Spoof was only seen 52 minutes ago. I can't find any other evidence that it is still out there.

0 Kudos
10 Replies 10
GavinMcMenemy
Building a reputation
‎Aug 29 2018 8:18 AM
‎Aug 29 2018 8:18 AM

ps. I think I put this in the wrong forum. It should really be in Wireless. Sorry about that.

pps. I don't think is a spoof but that the AP is detecting itself. I've rebooted the AP and so far no more alerts.

0 Kudos
In response to GavinMcMenemy
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 29 2018 12:46 PM
‎Aug 29 2018 12:46 PM

It is too hard to say if it is a real spoof or not - but either way, their is almost nothing you can do about spoofs.

0 Kudos
In response to PhilipDAth
GavinMcMenemy
Building a reputation
‎Aug 30 2018 1:18 AM
‎Aug 30 2018 1:18 AM

True. Unless you track it down. I spent some time yesterday wondering around testing the signal strength and I couldn't find anything. I've a suspicion that the router detected itself. It alerted then didn't alert again.

in another environment I did find a spoof once which turned out to be an old access point which had the same SSID as the current corp one. Someone had found it in a corner and plugged it in. In that case there was something I definitely could do about it...

The information about spoofs that's available in Air Marshall is sparse. It would be good if it could provide everything the aerial found.
In response to GavinMcMenemy
TimBisel
Getting noticed
‎Aug 30 2018 6:23 AM
‎Aug 30 2018 6:23 AM

One thing our location has been running into a lot with our new computers is Air Marshall seeing a Rouge AP every time someone looks for a new printer. Seems like the new Intel Wireless cards throw out a random-ish SSID for a direct connect, and searching for a printer triggers it. I spent more time then I would like to admit tracking that down.

In response to TimBisel
GavinMcMenemy
Building a reputation
‎Aug 30 2018 6:24 AM
‎Aug 30 2018 6:24 AM

Now, that's interesting. I will keep an eye out for that.
0 Kudos
In response to GavinMcMenemy
Rudi
Getting noticed
‎Sep 5 2018 2:30 PM
‎Sep 5 2018 2:30 PM

So I ran into a similar issue with my Juniper equipment when I initially started swapping over to Merakis. 

 

The Junipers had a version of Air Marshall enabled, and were directing de-auth packets at my Meraki network, which the Merakis were picking up as a spoofed version of the network.

 

Not sure if you have another wireless system co-deployed, but it might be something to investigate.

 

No one here even knew we had the Juniper Air Marshall enabled... was fun to track down. I used a cell phone and tracked signal strength, and it was strongest near some of the old APs that were still enabled and broadcasting, so then had to dig through settings on the old system.

0 Kudos
In response to Rudi
GavinMcMenemy
Building a reputation
‎Sep 10 2018 2:03 AM
‎Sep 10 2018 2:03 AM

Definitely no wireless kit directly attached to the network any more. Although like you I've seen that before.

I really do think that the MR was detecting itself or perhaps another unit.

It's not happened since I saw the alert I am keeping an eye out though.
0 Kudos
stevenwhiting
Getting noticed
‎Oct 22 2018 4:07 AM
‎Oct 22 2018 4:07 AM

That's funny as I was just going to make a post about this.

 

I've seen this for months on the network. It randomly appears during the week, then doesn't get detected for a day or two. I assume this is a false positive then?

 

When messing around on my home network spoofing I'd normally use 00:00:00:00:00:00 or 11:22:33:44:55:66 as they are easy to type.

 

Finally got around to put a block in, to block any device with the MAC 00:00:00:00:00:00 yet today, I see the Spoof warning again.

 

I added the block in Network-Wide, Clients.

 

Is this a bug then?

0 Kudos
In response to stevenwhiting
GavinMcMenemy
Building a reputation
‎Jan 10 2019 1:24 AM
‎Jan 10 2019 1:24 AM

No idea. I've asked around and no one seems to be able to provide an answer.
JDes
Conversationalist
‎May 13 2019 1:05 PM
‎May 13 2019 1:05 PM

Seeing the same at one of our sites.

 

We have two Meraki MR52s there and admittedly we don't spend a lot of time tuning them. The spoof alerts started last week. I have basically disabled one of the APs and greatly reduced power for the other. Users are happy with the settings, and I'm seeing way less interference on the remaining AP.

 

The spoof alert only shows up if I try to re-enable the other AP. Any band and any power level and the deauth packets start going out again. I'm going to power off the AP from the switch today and monitor through the rest of the week.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.