Meraki

Community

How can we test rogue SSID in Meraki air-marshal

Air-Marshal
Comes here often
‎Nov 19 2020 3:02 AM
‎Nov 19 2020 3:02 AM

How can we test rogue SSID in Meraki air-marshal

Would like request to you please help us to know the best testing scenario for rogue AP detection by Air-Marshal (from Meraki stand-points), how can we test if Air-Marshal detect rogue AP

0 Kudos
7 Replies 7
KarstenI
Kind of a big deal
Kind of a big deal
‎Nov 19 2020 3:57 AM
‎Nov 19 2020 3:57 AM

Just configure a non-Meraki AP with the same SSID that you use in your network and place that device near your Meraki-AP.

In response to KarstenI
Air-Marshal
Comes here often
‎Nov 19 2020 5:21 AM
‎Nov 19 2020 5:21 AM

Thanks for revert, 

can you please clarify what procedure Air-marshal take to detect rogue AP, please refer below snapshot and clear our queries.

Air-Marshal_0-1605791121701.png

 

1. Is someone plug other AP into our network then it detects?

2. If unknown AP (whether Meraki or non-Meraki) connected our LAN and get IP from internel DHCP then it detects?

3. The meraki access switches or ports can sense if its non-meraki AP?

4.  If it is meraki ap but not yet claimed in the dashboard then it detects as rogue AP?

 

Please help to clear our queries, thanks.

0 Kudos
In response to Air-Marshal
ww
Kind of a big deal
Kind of a big deal
‎Nov 19 2020 6:50 AM
‎Nov 19 2020 6:50 AM

Hi, this shows what meraki detects:

https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal#Wireless_Threats

 

Rogue SSID seen on LAN: SSIDs that are broadcast by rogue APs and seen on wired LAN; this could suggest compromise of the wired network." 

 

But its most likely a client using some kind of screen mirroring  or someone set up a hotspot.

 

1) if its broadcasting, yes

2) if its broadcasting, yes

3) i would say yes but it does not act on this.

4) not sure, but i think if its broadcasting, yes

0 Kudos
In response to ww
Air-Marshal
Comes here often
‎Nov 20 2020 5:39 AM
‎Nov 20 2020 5:39 AM

Hi,

If Air-Marshal detected any rogue AP in our LAN so what procedure (excluding below procedure ) should we take for overcome/mitigate them .

 

contain

Whitelist 

Blacklist

Alert

Uncontain

 

0 Kudos
In response to Air-Marshal
KarstenI
Kind of a big deal
Kind of a big deal
‎Nov 20 2020 8:11 AM
‎Nov 20 2020 8:11 AM

@Air-Marshal wrote:

Hi,

If Air-Marshal detected any rogue AP in our LAN so what procedure (excluding below procedure ) should we take for overcome/mitigate them .

 

contain

Whitelist 

Blacklist

Alert

Uncontain

 

Procedures other than the mentioned? Find the user that connected the AP to the LAN and make sure he understands his mistake. Make sure not to have any witnesses around, and clean up mess afterwards.

kYutobi
Kind of a big deal
‎Nov 19 2020 5:12 AM
‎Nov 19 2020 5:12 AM

Or you can create a hotspot as well. 

Enthusiast
0 Kudos
In response to kYutobi
Air-Marshal
Comes here often
‎Dec 1 2020 4:39 AM
‎Dec 1 2020 4:39 AM

Can you have more testing scenarios for rogue APs creation in our network, those can be detected by Meraki Air-Marshal, as earlier you suggested "for configuring a non-non-Meraki AP with the same SSID that we use in our network and place that device near our Meraki-AP and also we can create a hotspot." 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.