Meraki

jkkarkar · ‎Oct 23 2024

My apologies if this question has already been asked but it's unclear to me in any documentation I've come across.

Meraki Wireless is implemented in the environment. The SSID's that are configured for example are HOHT_Guest, HOHT_Internal and HOHT_IoT. Air Marshal is configured to block client from connecting to rogue SSID's by default. In the SSID Block list I have applied a match that contains the keyword HOHT. Is this going to cause an issue? I suspect it may because the keyword is a match to the SSIDs that are in play.

We've seen a rogue SSID with the name HOHT_SOUTH_Aethernet and have included it in the block list as an exact match but if others are seen with the keyword HOHT would including it as a block if "contains keyword" pose any issue especially with the possibility of spoofed attacks.

JosRus

Hi @jkkarkar!

Before reporting a device as a rogue, there is additional logic check that the dashboard uses to determine if the BSSID is broadcast from an AP in the same dashboard network (i.e. a legitimate broadcast from other Meraki APs on the same SSID within the same dashboard network). Every AP maintains a list of all of other Meraki APs it knows about in the network, and the rogue check involves a check against this list prior to containment. The caveat is if APs are in a different network of the same dashboard organization, with changes in outcome dependent on the containment method in use.

The difference between rogue and spoof is important to note, as a spoof attempting to impersonate your SSIDs cannot easily be blocked via Air Marshal containment methods, due to the containment affecting the legitimate APs also.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.

Meraki

Community

Best Practices for Configuring SSID Block List in Meraki Air Marshal

Best Practices for Configuring SSID Block List in Meraki Air Marshal